Now Hiring: Data Protection Officer
With GDPR now in effect, companies will need to ensure ongoing compliance, which may include appointing a data protection officer (DPO). In the United States and Europe alone, that translates to an estimated 28,000 new DPOs needed, according to the International Association of Privacy Professionals (IAPP). But what is a DPO and how does this role differ from existing roles dedicated to privacy and security? Who is best suited for this position, and where does it “fit” within a company’s structure?
What Is the Role of the DPO?
The most important duty of a DPO is to help the company understand how GDPR relates to the company business and to ensure that this knowledge is adequately transferred to company management and employees. While the DPO will observe, evaluate risk, and advise the company on how to correct issues and ensure compliance, he or she will not make those decisions for the company.
A typical scenario that would require the DPO’s expertise would be finding out whether a certain action — such as targeting consumers for a digital advertising campaign — would be in compliance under GDPR. The DPO would then conduct an independent assessment, reviewing GDPR requirements and standard approaches to privacy in this kind of situation. He or she would also consult guiding information published by privacy working groups in the EU or by data protection authorities. Based on this information, the DPO would advise whether the current data processing scenario is sufficient, or whether there’s cause for concern and a need to change the current process.
Who Needs a DPO?
Big companies that work with a lot of personal data may be the first to come to mind, but public institutions like large schools and hospitals might also be required to appoint a DPO.
In fact, within the EU, all public administrators are required to appoint a DPO. Apart from the requirement for public administrators, there are two criteria that determine whether an entity needs to appoint a DPO: if the core activities of the company require regular and systematic monitoring of data subjects on a large scale, and if the company is processing special categories of data or data related to criminal convictions and offences. The scale of the data processing — in terms of how many individuals are affected and how much data is processed from each individual — also makes a difference.
Think about a small company that’s doing public research for a political party, and that involves paying college students to interview people on the street and ask about their political opinions (which is under GDPR considered “special category of data,” or in other words, sensitive information). Despite the company having only a few employees, it will gather personal information on a lot of people — which, if made public or was misused — could be potentially harmful. Under GDPR, this small company will now find themselves in need of a DPO. This is why such a company needs to proceed with diligence regarding the new regulations, and the role of DPO should ensure the appropriate steps are taken.
For some industries — including banking, healthcare, and insurance — data protection has already been an ongoing concern, and the current rules have implicitly assured individual privacy. These sectors will see less of an impact as a result of employing a DPO. For example, healthcare systems have lots of sensitive personal data related to patient health, but this data was already subject to both stringent security practices and privacy considerations; the ethical codes, as well as the laws preventing doctors from disclosing personal information against the patient’s wishes, existed well before GDPR was enacted.
Others, like big social media companies or ad companies, collect a lot of personal data and use that data to try to make as much money out of it as possible, often by selling it rather than just using it for their own product improvement. These companies have a significant amount of leverage against the individual, who doesn’t have the expertise or the means to assess the company’s privacy practices.
Users are also often faced with a “take it or leave it” situation where opting out completely is hard to achieve because of the way the search engines and tracking systems are integrated into both the Internet and smartphones, or it means losing contact with their friends, who are all using the same social network.
This leverage and the non-existent regulations are exactly the reasons why GDPR was created. These types of companies can expect to see big changes to the way they do business, and again, the role of DPO should help them balance individual privacy and business interests.
How the DPO Functions Within the Company
In terms of finding someone to appoint as a DPO, most companies that work with lots of personal data already have a privacy officer or chief privacy officer in place, which is a logical predecessor to the DPO position. There are some differences in the role requirements, but anyone who was involved in oversight of privacy practices is a great candidate for this role.
The key difference is that a DPO needs to be independent, because they are charged with being an advocate for the individual. If the DPO was the one responsible for also doing some work outside of the tasks assigned to a DPO, they might soon find themselves in a conflict of interest. Say you need to do something for the business that will make it more efficient but you’re also trying to balance the privacy needs and rights of the individual. This would be close to impossible, which is why a DPO can have no other responsibilities beyond recommending an appropriate course of action to protect privacy and making sure the business fully understands the implications of their planned actions.
Furthermore, because the DPO is acting on behalf of the individual, he or she cannot be dismissed or penalized by the company for the way he or she performs as long as the individual’s best interest is kept in mind. Even if the DPO recommends an action that ultimately results in the company needing to pay a penalty, the DPO cannot be held responsible for this error, because he or she acted in good faith to protect the individual.
Such a situation is considered a failure of the company (who should have done a better job finding the right DPO). This prevents companies from finding a straw person to appoint as a DPO, blaming them if something goes wrong, then getting a new DPO. Under GDPR, this kind of maneuver is unacceptable.
What to Look for in a DPO
Many companies in the EU are already capitalizing on the need for DPOs by introducing training or certification courses, but in general this is just a way to make some money out of GDPR without providing any actual assurance or value. There is no need for DPOs to be certified under GDPR or receive any particular training; the only requirement is that the DPO be appointed on the basis of their professional experience and knowledge of privacy-related matters. In particular, they should have ample knowledge of data protection laws and practices, be able to provide advice, ensure ongoing compliance, and conduct data impact assessments.
Since GDPR will remain in effect for years to come, some may choose to specialize in privacy issues as their career. For those who want to be a DPO in the future, the closest thing in terms of a related degree is a specialization in privacy law, but it’s unlikely to find a qualified DPO directly out of college. The problem is that these experts might have an excellent understanding of privacy regulation in general and can provide guidance on some rather complex tasks, but an effective DPO should also have an expertise in the market they’re operating in. The successful DPO has a strong understanding of privacy rights and regulation — and the field expertise to understand how the company will use the data.
About the author: Tomáš Honzák is the Director of Security and Compliance at GoodData, where he built an Information Security Management System compliant with security and privacy management standards and regulations such as SOC 2, HIPAA and U.S.-EU Privacy Shield.