The time to start staffing up for the GDPR is now. Organizations have very little time to discuss, plan, and execute all of the business initiatives required to be in compliance. And, according to Article 37 of the GDPR, any public entity or other organization that performs regular monitoring and processing of European Union (EU) data subjects on a large scale that can uniquely identify a “natural person” or involve criminal convictions and offenses is required to designate a Data Protection Officer (DPO).
Ideally, an organization should already have its DPO in place so that he or she can lead all subsequent GDPR-related efforts within the business. However, if your organization has yet to designate a DPO, don’t throw it over the wall to your security and compliance team before you (and they) understand the nuances involved with this role, or you run the risk of bringing the wrong candidate on board.
What is a DPO?
The DPO is a critical leadership role that reports directly to the executive management of the organization. In short, the role is responsible for ensuring that your organization is in compliance with the GDPR by architecting and implementing your data protection strategy. The role straddles the lines between a security, compliance, and privacy officer. Staying true to the regulation’s vague nature, the GDPR does not specifically provide a job description or credential requirements for a DPO. However, the regulation does mention that a DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
What are DPOs responsible for?
At a minimum, DPOs are responsible for the following five tasks:
What technology will DPOs rely on?
Unfortunately for DPOs, the GDPR is lacking when it comes to identifying specific technologies in compliance with the regulation, other than basic references to “encryption” and “psuedonymization.” This can lead to a fair bit of speculation regarding what technology is actually required when it comes to complying with GDPR.
However, given the data-centric nature of the GDPR, DPOs need to focus on the following three key technology areas:
Ultimately, the GDPR has anointed the DPO as the official role within an organization that will have executive standing and function as the single point of contact for all things related to data protection and processing of EU citizen data. While I could sit here and wax poetic about the DPO needing business-wide support to be successful, that would a bit disingenuous. Unlike CSOs and CPOs, who typically lack a regulatory hammer within their own organizations, I would be remiss not to remind everyone that the office of the DPO carries the full weight of defending the company from a €20M, or 4% of annual turnover, penalty for non-compliance. While many organizations may play the “wait and see” game with GDPR, the EU will no doubt make an example of the first few organizations that violate the GDPR policies and requirements. By selecting and engaging with a DPO as soon as possible, you can help your organization avoid that scenario.
Start your GDPR-compliance planning by downloading the The GDPR Compliance Guide for Business.