The time to start staffing up for the GDPR is now. Organizations have very little time to discuss, plan, and execute all of the business initiatives required to be in compliance. And, according to Article 37 of the GDPR, any public entity or other organization that performs regular monitoring and processing of European Union (EU) data subjects on a large scale that can uniquely identify a “natural person” or involve criminal convictions and offenses is required to designate a Data Protection Officer (DPO).
Ideally, an organization should already have its DPO in place so that he or she can lead all subsequent GDPR-related efforts within the business. However, if your organization has yet to designate a DPO, don’t throw it over the wall to your security and compliance team before you (and they) understand the nuances involved with this role, or you run the risk of bringing the wrong candidate on board.
What is a DPO?
The DPO is a critical leadership role that reports directly to the executive management of the organization. In short, the role is responsible for ensuring that your organization is in compliance with the GDPR by architecting and implementing your data protection strategy. The role straddles the lines between a security, compliance, and privacy officer. Staying true to the regulation’s vague nature, the GDPR does not specifically provide a job description or credential requirements for a DPO. However, the regulation does mention that a DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
What are DPOs responsible for?
At a minimum, DPOs are responsible for the following five tasks:
- Inform and advise controllers, processors, and employees within the organization of their obligations under the GDPR
- Monitor GDPR compliance activities, including assignment of duties, awareness training, and audits
- Cooperate with the GDPR supervisory authority
- Act as the point of contact with the supervisory authority on all GDPR-related matters
- And given the scope and size of the GDPR, the number of DPO responsibilities will no doubt grow exponentially over time.
- DPOs also function as the point of contact for data pertaining to the processing of personal information. Thus, DPOs are bound by secrecy and confidentiality concerning the performance of their job role.
What technology will DPOs rely on?
Unfortunately for DPOs, the GDPR is lacking when it comes to identifying specific technologies in compliance with the regulation, other than basic references to “encryption” and “psuedonymization.” This can lead to a fair bit of speculation regarding what technology is actually required when it comes to complying with GDPR.
However, given the data-centric nature of the GDPR, DPOs need to focus on the following three key technology areas:
- Complete data visibility — The DPO must have visibility over the organization’s entire data attack surface. This goes beyond the traditional data protection capabilities of silo servers, desktops, and laptops. DPOs must have access to cloud-scale data protection capabilities that can provide a single control point for traditional data sources, as well as native support for mobile devices and cloud applications.
- Data security everywhere — Data under the purview of the DPO must be encrypted everywhere: both in-flight and at rest. This requires that the organization’s data protection capabilities will support encryption capabilities like TLS 1.2 and AES-256 for data security wherever possible.
- The ability to erase data — With complete data visibility comes the ability to erase or purge data (think “right to be forgotten”). While the erasure of data is new to many organizations, GDPR requires that DPOs be able to purge data subject information at their request. DPOs will need to utilize data protection capabilities that can granularly delete data while maintaining a complete audit trail of the process.
Ultimately, the GDPR has anointed the DPO as the official role within an organization that will have executive standing and function as the single point of contact for all things related to data protection and processing of EU citizen data. While I could sit here and wax poetic about the DPO needing business-wide support to be successful, that would a bit disingenuous. Unlike CSOs and CPOs, who typically lack a regulatory hammer within their own organizations, I would be remiss not to remind everyone that the office of the DPO carries the full weight of defending the company from a €20M, or 4% of annual turnover, penalty for non-compliance. While many organizations may play the “wait and see” game with GDPR, the EU will no doubt make an example of the first few organizations that violate the GDPR policies and requirements. By selecting and engaging with a DPO as soon as possible, you can help your organization avoid that scenario.
Start your GDPR-compliance planning by downloading the The GDPR Compliance Guide for Business.