Deciding whether or not your company needs a data protection officer under the EU’s forthcoming General Data Protection Regulation is not always an easy or straightforward decision. What’s worse, the difficult decisions don’t end once you have come to a conclusion that, in fact yes you do need one. Now the company has to find the best person for the position, which is no easy task for several reasons. One, the EU has not clearly defined the requirements for the DPO’s job. Two, the role requires several different kinds of expertise.
Indeed companies have a long uphill climb ahead of them as they set forth to find their DPO, said Robin Bloor, chief strategy officer at Algebraix. “Few corporate cultures have any notion of the DPO role and how to support the DPO with staff and systems. For companies that hold a great deal of personal data, this is not a peripheral role.”
The DPO Must Wear Three Hats
The DPO role is poorly defined by the European Union, said Hyoun Park, an analyst at Amalgam Insights — essentially the regulation calls for an “expert knowledge of data protection,” he said. But in reality, the DPO has three main responsibilities, each of which requires special expertise. These are: compliance, IT/security and communication.
As part of the compliance responsibility, the DPO serves as the actual point of contact between the company and the European Union supervisors, which means the DPO has to have experience dealing with regulatory agencies and should have hands on experience with compliance issues such as internal audits, Park said.
The security role requires the DPO to understand the IT and technology infrastructure associated with the data, how to maintain all the records associated with the data and to train the staff on how to use the data properly.
The communications role focuses on educating employees and stakeholders on the compliance requirements, as well as talking with actual customers to let them know how their data is being used. “The DPO’s contact information is public so this person doesn’t just get to hide and think about data security. This is a public-facing role and of all the responsibilities that fall under the DPO, this is probably the least well thought out. In the worst case scenario, the DPO will need to work directly with the EU to report a breach in a timely fashion and will have to communicate this breach to customers and other personnel who have provided information to the company,” Park said.
Related Article: 9 Ways to Jumpstart Your GDPR Compliance Program
Ignoring The Other Roles
What many companies have been doing, according to Park, is focusing on the security/IT piece as they look for a DPO. That is mistake — compliance and communication should be equally weighted in the hiring decision. Bart Willemsen, research director at Gartner, also noted the same trend, that is, companies assigning the role of DPO to, say, the chief information security officer (CISO). He agrees that this is a mistake. “The DPO position is basically a one-person representation of a regulator inside an organization. So you can’t just tell the CISO, ‘look, here’s an extra hat, now you’re the DPO too,’” said Willemsen.
Privacy Versus Security
Even if the DPO’s responsibilities were focused primarily on IT, it still would be a mistake to tap a CISO or a chief privacy officer, according to Willemsen. “We took an informal security-focused survey of our clientele early 2017, pre-GDPR, and asked ‘where does your lead privacy role report to?’ We had 22 percent tell us that the lead privacy role reported to the Board of Directors, 22 percent reported to the CISO, while 37 percent said their privacy expert reported to a CIO or IT specialist,” he said. What that boils down to is that a combined 59 percent reported to a technology specialist — but privacy protection goes far beyond that role.
Also the DPO is not there to make sure an entire organization is privacy compliant, Willemsen said, “His job is to say to the organization ‘there are 99 articles in the GDPR, a couple of them are specifically valid for us and we may have a gap in compliance. We need to do something.’” From that point the company should instruct somebody else to make the necessary changes.
It should also be noted that the CISO role primarily minds business risk, which is quite different from privacy risk, according to Willemsen, as privacy risk focuses on the risk to an individual, not the risk to the business. “So a CISO may decide he wants to log every keystroke and mouse click employees make for analysis. But it is the privacy expert’s job to say ‘no, let’s not because employees are people who want privacy too.’ If you put those two hats on one person they would have to be close to a schizophrenic,” said Willemsen.
Related Article: Is Your CMS GDPR Ready?
Two Heads Are Better Than One
For this reason it isn’t unheard of to have multiple people advising the DPO, said Todd Wright, Global Product Marketing for SAS Data Management solutions. In fact, that is how some companies are covering both the tech and the legal/compliance component of the role. “An important recommendation is constant teamwork between legal and IT,” he said.