What is a Data Protection Officer (DPO) and why are they important for complying with the GDPR?
Actually, the question could be, “What is the data protection oversight role now, and what will define the Data Protection Officer (DPO) role as of May 25, 2018 when the General Data Protection Regulation (GDPR) goes into effect?”
The responsibility of data protection is not new to organizations. Since very large, public data breaches started occurring with alarming frequency in the early 2000s, and regulations such as HIPAA and PCI-DSS were created, oversight of data and its protection has been a C-suite, and now Board-level, concern. Some organizations have Chief Privacy Officers or Chief Information Technology Officers who have data protection under their purview. But according to GDPR Article 37, one of the mandatory compliance requirements is that companies who manage and/or process large amounts of person data on EU citizens must have a dedicated DPO on staff. The role’s responsibilities will include (according to Article 39):
- Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
- Advising with regard to data protection impact assessments when required under Article 35.
- Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
- Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
The DPO position is clearly critical to achieving and maintaining compliance, and failure to do so could result in fines as high as 4 percent of global revenues. Many companies, however, are taking a “head in the sand” approach. According to a snap survey of 170 cyber security staff by Imperva (as seen in ITPro), just 43 percent are assessing GDPR's impact on their company and changing their practices to stay in step with data protection legislation. While the respondents were mostly US-based, they will still need to comply with GDPR if they handle—or are involved with handling—EU citizens' personal data. Despite this, Imperva found that nearly a third said they are not preparing for the incoming legislation, and 28 percent said they were ignorant of any preparations their company might be doing.
Key Requirements for the DPO Role
But with the compliance deadline just a year away, companies need to start hiring for this key role. According to Dark Reading, 75,000 DPOs will be needed worldwide—9,000 in the U.S. alone. As outlined on the official EU GDPR site, there certain requirements for the DPO role. Importantly, the DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- May be a staff member or an external service provider
- Must not carry out any other tasks that could results in a conflict of interest
It is these last two points that are particularly important and yet could seemingly be at odds if the position is filled by a current employee. Nine out of 10 International Association of Privacy Professionals (IAPP) members surveyed said they would reassign an existing internal employee to take this position—either making their current head of privacy the DPO or training someone else to do it. While this shows confidence by hiring from within, anyone who has worked in a corporate environment knows that it will be a constant challenge to maintain neutrality.
No matter how organizations decide to fill this role—internally, externally or by outsourcing to a third party—they better be ready to go a year from now to avoid suffering significant fines or a potential impact to their business.