Data Protection Officer positions are rising in availability and visibility. As you know, it's a matter of time before the European General Data Protection Regulation or GDPR is implemented and enforced. Unlike the current Data Protection Directive, GDPR will also apply to organizations or "Data Controllers" based outside of the European Union if they process the personal data of EU residents or "Data Subjects". This change alone has huge implications on the number of available pool of qualified Data Protection Officers (DPO) but wait until you read the specific requirements around DPO in the following sections to understand why I suggest a huge Data Protection Officer shortage in Europe and the world is imminent in the coming years.
My prediction is primarily based on available data about the upcoming European regulation with global implications which requires each company to employ a Data Protection Officer, but generally, the changing global regulations and DPO requirements will make it harder for companies to find, hire, retain, and dismiss professionals who can fulfill the regulatory requirements.
The high level requirements of the DPO per GDPR are listed below to illustrate how the required skillset around regulatory knowledge, communication, audit, risk assessment, and cyber security will make it difficult to find qualified DPOs.
General Data Protection Regulation
The single European data protection regulation which is scheduled to be adopted by the spring of 2016 and take effect after a transition of two years, will not only have an immediate effect on the 28 EU countries after the two year transition period, but it will also have a huge implication on non-European Data Controllers which collect EU citizens' personal information "Data Subject".
As currently drafted, the GDPR requires companies with 250 or more employees or processing 5000 Data subjects to appoint a DPO with an employment contract for a minimum of four years or a service contract of a minimum of two years where the DPO is provided on an outsourced basis.
The DPO should be a "C" level person who has direct reporting to the executive management or the Board with respect to data protection and related compliance matters. The DPO should have the autonomy, related budget, necessary resources, and decision-making powers to execute data protection plans and tasks, address non-compliance issues, and report incidents to the relevant Data Protection Authority (DPA).
Note that there will be one single DPA responsible for each company depending on where the Controller is located. A European Data Protection Board will coordinate the DPAs.
One of the first responsibilities of the DPO is to manage notifications or registrations with the relevant DPA with respect to the data processing activities of the Data Controller. Furthermore the DPO must keep such notifications and registrations up-to-date.
While the DPO’s contract provides a protected employee position since they cannot be dismissed for convenience, the DPO remains directly liable to each DPA for non-compliance with the GDPR and applicable guidelines issued by each DPA.
The Regulation is likely to require that each DPO is chosen for their professional qualities and must have expert knowledge of data protection including:
Duties and Tasks
The DPO has to maintain the balance between the role of a trusted advisor to the company as well as the enforcer. This will require the DPO to carry out a number of tasks, including:
The DPO needs to implement policies and procedures to manage the risks including the outsourcing of data processing activities and the use of third party vendors for HR, IT and marketing and particularly where those third party vendors may be processing personal data of the company outside of the European Economic Area and/or within the Cloud.
The DPO needs to maintain close relationships with the Chief Information Security Officer (CISO) to coordinate compliance and develop information and cyber security policies and procedures.
In terms of the development of policies and procedures, the DPO needs to:
Training is an important part of data protection and compliance. Some investigations carried out by the regulators have resulted in fines and penalties due to the lack of training on policies and procedures.
The DPO therefore must provide training in order to raise awareness of policies and procedures among existing and new staff, management, and the Board. The DPO must design and provide training for the specific needs of various departments and teams and produce updated information as changes in laws and regulations emerge.
As you can see, the DPO role is very significant as the global privacy frameworks change and data security implications increase. DPOs must stay abreast of all regulatory changes as well as best practices by gathering as much information from external sources as possible. This role will be extremely difficult to fill as DPOs will have to be multi-talented as follows:
The Certified in Data Protection (CDP) scope consolidates the GDPR and other global privacy laws with international security standards to offer one comprehensive training and certification which produces qualified Data Protection Officers.