Data Protection Officer

By Henry Bagdasarian

Data Protection Officer positions are rising in availability and visibility. As you know, it's a matter of time before the European General Data Protection Regulation or GDPR is implemented and enforced. Unlike the current Data Protection Directive, GDPR will also apply to organizations or "Data Controllers" based outside of the European Union if they process the personal data of EU residents or "Data Subjects". This change alone has huge implications on the number of available pool of qualified Data Protection Officers (DPO) but wait until you read the specific requirements  around DPO in the following sections to understand why I suggest a huge Data Protection Officer shortage in Europe and the world is imminent in the coming years.

My prediction is primarily based on available data about the upcoming European regulation with global implications which requires each company to employ a Data Protection Officer, but generally, the changing global regulations and DPO requirements will make it harder for companies to find, hire, retain, and dismiss professionals who can fulfill the regulatory requirements.

The high level requirements of the DPO per GDPR are listed below to illustrate how the required skillset around regulatory knowledge, communication, audit, risk assessment, and cyber security will make it difficult to find qualified DPOs.

General Data Protection Regulation

The single European data protection regulation which is scheduled to be adopted by the spring of  2016 and take effect after a transition of two years, will not only have an immediate effect on the 28 EU countries after the two year transition period, but it will also have a huge implication on non-European Data Controllers which collect EU citizens' personal information "Data Subject".


Data Protection Officer

Hiring

As currently drafted, the GDPR requires companies with 250 or more employees or processing 5000 Data subjects to appoint a DPO with an employment contract for a minimum of four years or a service contract of a minimum of two years where the DPO is provided on an outsourced basis.

Reporting

The DPO should be a "C" level person who has direct reporting to the executive management or the Board with respect to data protection and related compliance matters. The DPO should have the autonomy, related budget, necessary resources, and decision-making powers to execute data protection plans and tasks, address non-compliance issues, and report incidents to the relevant Data Protection Authority (DPA).

Note that there will be one single DPA responsible for each company depending on where the Controller is located. A European Data Protection Board will coordinate the DPAs.

One of the first responsibilities of the DPO is to manage notifications or registrations with the relevant DPA with respect to the data processing activities of the Data Controller. Furthermore the DPO must keep such notifications and registrations up-to-date.

While the DPO’s contract provides a protected employee position since they cannot be dismissed for convenience, the DPO remains directly liable to each DPA for non-compliance with the GDPR and applicable guidelines issued by each DPA.

Knowledge

The Regulation is likely to require that each DPO is chosen for their professional qualities and must have expert knowledge of data protection including:

  • Management and organization;
  • Mastery of technical requirements for privacy and data security;
  • Industry specific knowledge in accordance with either the size of the Data Controller, or the sensitivity of the personal data processed;
  • The ability to carry out impact assessments, audits, consultation, documentation, and log file analysis; and
  • The ability to work and communicate effectively with internal and external parties.

Duties and Tasks

The DPO has to maintain the balance between the role of a trusted advisor to the company as well as the enforcer. This will require the DPO to carry out a number of tasks, including:

  • Raising privacy awareness;
  • Designing and implementing policies and procedures;
  • Performing data protection impact assessments,
  • Monitoring compliance;
  • Maintaining documentation;
  • Managing data incidents, breaches, and notifications; and
  • Liaise with data protection authorities and internal parties.

Policy Management

The DPO needs to implement policies and procedures to manage the risks including the outsourcing of data processing activities and the use of third party vendors for HR, IT and marketing and particularly where those third party vendors may be processing personal data of the company outside of the European Economic Area and/or within the Cloud.

The DPO needs to maintain close relationships with the Chief Information Security Officer (CISO) to coordinate compliance and develop information and cyber security policies and procedures.

In terms of the development of policies and procedures, the DPO needs to:

  • Provide guidelines to the Board of Directors as well as all staff and management members;
  • Provide guidelines to contractors and third parties that are using company facilities and company information;
  • Liaise with HR in relation to the development of policies, procedures and practices for employee management and hiring;
  • Liaise with the IT department in relation to the development of policies, procedures and practices for information security, data handling, outsourcing, BYOD and monitoring in the work place; and
  • Liaise with Legal, Sales and Marketing to ensure compliance with applicable laws and regulations for contracts, marketing, advertising, profiling and publicity.

Training

Training is an important part of data protection and compliance. Some investigations carried out by the regulators have resulted in fines and penalties due to the lack of training on policies and procedures.

The DPO therefore must provide training in order to raise awareness of policies and procedures among existing and new staff, management, and the Board. The DPO must design and provide training for the specific needs of various departments and teams and produce updated information as changes in laws and regulations emerge.

Conclusion

As you can see, the DPO role is very significant as the global privacy frameworks change and data security implications increase. DPOs must stay abreast of all regulatory changes as well as best practices by gathering as much information from external sources as possible. This role will be extremely difficult to fill as DPOs will have to be multi-talented as follows: 

  • Be able to effectively interpret and understand the changing regulations;
  • Be able to clearly communicate with others to lay out the regulatory requirements, plan, educate and train;
  • Be able to propose and manage budgets;
  • Have great writing skills;
  • Be an analytical risk thinker and gap analyst;
  • Be able to document processes and control points;
  • Be creative and business minded when proposing solutions; and
  • Understand cyber security risks and controls.

Professional Certification

The Certified in Data Protection (CDP) scope consolidates the GDPR and other global privacy laws with international security standards to offer one comprehensive training and certification which produces qualified Data Protection Officers.

Visit the CDP page for Data Protection Officer training information.