A year went by since the GDPR entered into force, and hopefully, by now, organisations should have already taken the necessary steps to become compliant with it. They should have conducted a number of steps, including risk assessments to understand the data, systems and controls that are impacted by the regulation and enacted or have updated existing processes to address the regulation’s requirements. But GDPR is not just about processes and controls.
Depending on the core services and customers they serve, many organisations in the scope are still wasting precious time wondering: Do we need a data protection officer (DPO)? To decide if hiring a DPO is necessary, it is important to understand what the regulation actually states regarding the role of a DPO and where one is required or, at the very least, recommended.
The Role of the Data Protection Officer
One of the very few requirements stemming from the GDPR is that the data protection officer must have expert knowledge of data protection law and practices. Additionally, the DPO is responsible for informing the controller or processor and their employees of data protection regulations, monitoring compliance and training staff, providing counsel on data protection impact assessments, and engaging with the relevant authorities.
The GDPR makes it clear that certain organisations must appoint a DPO. Such organisations include:
- Public authorities. This includes government agencies and publicly funded institutions (such as universities, research centers and museums) that process personal data in the EU or personal data that originates from the EU.
- Organisations with core activities comprised of “regular and systematic monitoring of data subjects on a large scale.” This includes companies that do job searches and those that are involved in social media, marketing or anything associated with the movement of money.
- Organisations where core activities contain “large scale” processing of “special categories” of personal data. Special categories include information related to health, race or ethnicity, political beliefs, union memberships or other potentially sensitive information.
GDPR proves to be particularly challenging in the lack of addressing which entities DO NOT need a DPO. Organisations, therefore, need to look at privacy through a risk management lens to not only better prepare for privacy-related regulatory compliance but also to address broader enterprise-wide privacy risks and advance strategic objectives.
In assessing the need for a DPO, it is helpful to think in the broader context of risk overall. Ask the following question:
- Does your organisation face significant financial, reputational, production or regulatory risks if data is compromised?
- Are the potential impacts of non-compliance (such as fines, legal action and public relations) a real threat to your organisation? And can you realistically withstand them?
Keep in mind, the penalty for GDPR non-compliance can reach a whopping 4% of global revenue or €20 million, whichever is greater.
Once an organisation determines the need for a DPO, it will need to consider how to fill the role. The regulation states that the DPO can be a staff member or contractor with expert knowledge of data protection law and practices, but while the broad job description might make it sound like an IT responsibility, the expertise and skills required of the DPO’s role go beyond a traditional IT function.
In fact, the GDPR also introduces an independence requirement similar to the internal audit function: The DPO is not allowed to take instruction from their employer, cannot be dismissed for doing their job and must report directly to the “highest management level.” The necessary firewalls make it difficult to assign someone who already holds another post.
Another option is to engage a third party to serve as a “virtual DPO.” Some firms can serve as virtual DPOs for organisations, which offers a few advantages:
- Cost: A small or mid-sized firm is unlikely to spend $200,000 or more per year to hire a dedicated DPO. The virtual route allows the organisation to engage at whatever level is appropriate.
- Expertise: A virtual DPO can leverage the experience gained from working with multiple companies across multiple verticals. Tapping into this practical privacy experience can help with the development of best practices.
- Agility: A virtual DPO’s job is to stay ahead of new regulatory developments and data protection techniques globally, including emerging case law on GDPR. This provides the organisation with timely, relevant insights and guidance to support planning and decision making.
What to Look For in a Data Protection Officer
When it comes to skills and credentials, data protection officer backgrounds can vary considerably. It is a relatively new discipline and the few privacy certifications that currently exist are fairly immature. In general, there are some high-level attributes the DPO should possess, regardless of whether an organisation chooses the internal or external path:
- The data protection officer must be an expert on privacy. The DPO must have extensive knowledge of privacy issues and regulations. This is not limited to GDPR, of course. Knowing the universe of privacy—such as HIPAA (Health Insurance Portability and Accountability Act), COPPA (Children’s Online Privacy Protection Act), and PCI DSS (Payment Card Industry Data Security Standard)—is essential. An understanding of international laws and penalties is also important. For example, Malaysia’s new data privacy act includes jail time as a penalty for violations. It is essential for a potential DPO to have a strong understanding of existing regulations and how they apply in your type of organization, as well as an awareness of developing regulations.
- The data protection officer needs a deep understanding of your organisation. Every organisation’s privacy needs and risk profile are different. The DPO needs to understand the factors at play in your industry. They also need to understand your organisation’s culture, processes and unique relationship to data and data privacy.
- The data protection officer must be well-matched to the accountability function rather than the IT function. While a basic understanding of your organisation’s technology will be important, the DPO is more closely related to an auditor than an engineer. Backend integration is a relatively minor aspect. The DPO will likely spend significant time monitoring compliance and addressing processes and controls, understanding what different business units are launching, educating staff, managing data requests and communications with data subjects, providing the necessary information to leadership and the board and corresponding with authorities.
- The data protection officer must be able to act as the “privacy champion,” influencing the culture and rallying support from the very top. The DPO will require a high level of cooperation across the enterprise, including buy-in from senior management and functional leaders. A culture change is critical. The entire organisation needs to embrace a data privacy mindset and make it just as much of a priority as they would expect it to be when handled by other organisations.
GDPR is only one regulation among many pieces of proposed legislation worldwide, much of which is driven by shifting consumer sentiment. Organisations must be ready to adapt across their enterprises. Ultimately, they will need to be clear on where they stand on data privacy, understand their unique risks and act accordingly to take control of the information they collect and process. For many organisations, that will mean addressing the DPO role.