In a world where big data just keeps getting bigger and global boundaries have virtually vanished, the dangers of all that transparency have suddenly become all too apparent.
We gleefully shared our most private personal and enterprise data in exchange for access and convenience. It was good. Until we realized we were doling out too much data, perhaps to entities that might misuse it. Worse, criminals were simply helping themselves to sensitive information, often with our inadvertent assistance. Whoa, there! Consumers, businesses, and governments have gone into protection mode, as evidenced by the European Union’s impending General Data Protection Regulation (GDPR).
Companies doing business in Europe should be painfully aware by now that GDPR will go live next May. Industry watchers fear many companies are still not taking seriously the provisions of GDPR, believing the deadline won’t be immediately enforced. But they warn the pain could be very real. It’s really not worth taking the risk. Chances are your organisation needs to comply.
And speaking of risk, how’s it going with your search for that GDPR-mandated Data Protection Officer?
What Is A DPO?
If data privacy – and the growing body of data privacy regulations – is to be an overriding priority, someone has to take charge. Be the expert. This concept isn’t brand new. The International Association of Privacy Professionals (IAPP) has been granting “Certified Information Privacy Professional” (CIPO) credentials to qualified individuals for several years. And a number of large companies have created positions such as Chief Privacy Officer.
Under GDPR, creating an official data security position to oversee that this data protection law and mandate is met is no longer optional. At least for most companies. (If you’re still dithering about whether you must have a Data Protection Officer, this Decision Tree will help you decide.)
Your Data Protection Officer’s Responsibilities?
• Be the supervisory authority around legal obligations under GDPR
• Monitor compliance and ensure data protection law is upheld
• Make impact assessment on proposed decisions relating to customer privacy and processing personal data
• Serve as a central point of contact for questions and concerns on personal data and data protection law
• Serve as official responder to data “owners” as requested
Data Protection Officers has expert knowledge and their core activity is to stay up to date with all relevant compliance requirements -- not only those defined in GDPR, but country-specific (outside the EU) and industry-specific rules. In some cases, these requirements could diverge, and it will be the DPO’s job to sort things out to ensure compliance. DPOs should take a risk-based approach.
Do You Need A Data Protection Officer?
Generally speaking, GDPR applies to every company that sell goods or services to European customers (including those in the UK), or is processing or controls private data. These new rules will govern your actions regardless of your industry or where you are physically located. So many American companies from SMBs to huge corporations will be swept under the GDPR’s broad wing.
If you have multiple locations or subsidiaries, a single DPO will do, as long as that person is “easily accessible” to each entity.
You’d Better Get Busy
Time is short, and getting shorter. Potential penalties are high. And competition for DPOs is fierce. (The IAPP says some 28,000 DPOs will be needed in Europe.) As we all know, there is a distinct IT labor shortage, especially when it comes to individuals with cyber security expertise. Given the triple constraints of time, labor pool, and competition, you may not be able to find the candidate you want to become your new Data Protection Officer.
In that case, you’ll need to appoint someone already on staff.
You can’t blithely pick a name out of a hat, however. You’ll want to appoint your DPO carefully, because Data Protection Officer is not an at-will position. Your DPO’s job is protected for a term of four years. Four years. The point is to make this person impervious to office politics (or C-suite politics) so they can function independently, as intended.
There’s another option as well – outsourcing – although you might question whether a consultant could devote appropriate time to your enterprise, or whether they might suffer a conflict of interest of some point.
The Case For a DPO Position At Every Company
The concept of a Data Protection Officer has considerable merit for any company concerned about data security. GDPR envisions the DPO as your #1 internal expert on data privacy legalities and enforcement.
Given the speed with which technology is changing, ever-increasing consumer demands for data protection, and the impressive adaptability of would-be bad guys, what company would not want the added peace of mind that comes from knowing someone actually has their eye on the big picture? Someone without 19 other “critical priorities” on their to-do list.
As many talented and experienced IT folks as you might have on your team right now, each of them has a specific job to do. No matter how well they do it, who’s minding overall coordination and communication? Your enterprise cannot hope to minimize cyber threats unless everyone is working together, comprehensively and smoothly. Having a DPO assures a unified, holistic approach to data protection.
Even GDPR itself recommends all companies appoint a DPO, mandatory or not. That way, no business would miss out on the benefits of having a watchdog and a single point of contact to inform and advise. You could call the position whatever you want, and you certainly wouldn’t have to offer it as a four-years-guaranteed stint. The point is, somebody should be responsible for looking out for your company’s and your customer’s best interests when it comes to data privacy.
The Silver Lining? A Potential Marketing Bonanza
Creating a DPO-like position is not just a matter of internal self-defense, it’s a proactive customer service move. And that offers significant marketing opportunities.
With a Data Protection Officer on board, regardless of their official title, you have someone who personifies your organization’s commitment to data security. A living, breathing person responsible for keeping your company on the cutting edge of data privacy. There’s a marketing message in that in that which could easily resonate with your key audiences, building confidence and trust in your brand.
It’s always good to announce that you have a security plan and policies in place. But the ability to point to a real person who is overseeing and enforcing development and execution of your plan on a daily basis underscores your dedication to the cause. Your company takes threats – and the need to ameliorate them – seriously.
Here’s another reason you need a DPO. According to a recent article in Computing, “almost 70 per cent of Boards have no training to deal with cyberattacks, and one in 10 have no plans in place to respond to a cyber incident.” They go on to note, “Awareness among executives is now absolutely critical in today’s digital age . . . every business needs C-level functional leaders to take responsibility for keeping the business running in these difficult circumstances.” Appointing a DPO is one big step toward reducing risk in the first place, because security and compliance go hand-in-hand.
Hiring a DPO Doesn't Give Everyone Else A Pass
Bringing on a Data Protection Officer – or appointing one from within – won’t eliminate the need for vigilance throughout your company. Your DPO won’t be able to single-handedly eliminate every threat, detect every breach or resolve every problem after the fact. IT is now everyone’s job. That means you need more than a DPO. You need a plan.
Your organization already has a disaster recovery plan, right? A cyberattack could be an even bigger disaster for your enterprise, damaging your brand reputation and customer loyalty as well as causing infrastructure and/or functional problems.
So tick tock. It’s time you found your DPO.