Look for thousands of job listings next year for “data protection officer” to meet a requirement of the European Union’s General Data Protection Regulation, the privacy law that goes into effect May 18, 2018. Here’s a quick rundown to see if you need to start shopping for a DPO, as well.
What companies are covered?
If you control, process or monitor personal data “on a large scale” about persons living in the EU and as part of the “core activities” of your business, you must have a DPO. Ditto if your “core activities” are processing of particularly sensitive data such as criminal records.
Do you have to hire a new position? What if you already have a privacy officer?
You don’t have to hire—an outside contractor could do the job.
You could delegate an existing employee if he or she avoids conflicts of interest—a DPO could not also be the head of marketing, HR or IT, for instance or, of course, CEO.
But there are some odd requirements in the regulation that make the role sound more like an ombudsman than an employee. The data protection officer must
- Perform the role “in an independent manner”
- “Shall not receive instructions” on how to do the tasks
- “Be bound by secrecy”
- “Shall not be dismissed” for performing the duties
- “Shall directly report to the highest management”
What are the duties and job requirements of the DPO?
Monitor compliance with the GDPR and train employees and educate the organization on data privacy. Also, act as liaison with regulatory authorities. And assist with the “data protection impact assessments” that companies must prepare for types of data processing that put the privacy rights of individuals at “high risk” (yes, it’s a bit vague in the regulation). Requirements are “expert knowledge” of the GDPR and enough expert knowledge of data processing to be an effective watchdog.
Are there penalties for failure to name a digital protection officer?
In all likelihood, no EU privacy cops will kick in your door if you don’t name a DPO but it would not look well if you were involved in a serious data breach involving EU citizens.
The bottom line – treat this as an opportunity, not a burden.
Focus on “smart compliance”. A DPO could help organizations cost-effectively prioritize security gaps and choose cost-effective solutions to close those gaps. A risk-aware approach, based on the FAIR quantitative risk analysis model could turn compliance into an opportunity for productive risk assessment with benefits beyond meeting the EU’s new privacy rules. For more on that, read this: 3 Ways FAIR and Quantitative Analysis Can Help with GDPR.