The EU’s General Data Protection Regulation (GDPR) continues to approach like a
runaway freight train, and as you rush to make sure your data oversight is compliant, don’t forget about the Data Protection Officer (DPO).
One of the main sticking points about the GDPR is whether to hire a Data Protection Officer or not. The regulation has not been crystal clear as to who may need one or whether it’s mandatory or not, so I want to break down some of the basics so your organization is ready come May 25th, 2018.
What do Data Privacy Officers do?
Apart from being your in-house expert on all things GDPR, your DPO should be the go-to person for coworkers to find out about regulations. They’ll also be tasked with continuously monitoring your company’s compliance. Arguably their most important role in the post-GDPR world will be as the main point person when authorities choose to audit or review your data handling. They’ll also act as a liaison in case an EU citizen questions their data held by your company. The DPO will ideally have complete access to your data and processing methods and a direct line to the executive leadership.
Will everyone need a Data Protection Officer?
This is where it gets a little fuzzy for some organizations. The new regulation states that companies involved in processing specific categories of data will be require a DPO. These categories include data covering religious, political and ethnic information or any personal information related to criminal records. Beyond those specific categories nobody knows just how much auditing will be required or how strict many of the regulations will be enforced. Therefore, some companies are finding it hard to pull the trigger and hire a DPO.
Can we just give the DPO responsibilities to an existing employee?
While some companies may already have someone with the specific skill-set needed to be a DPO, it’s probably best not to lump the position on someone who will learn as they go. Whoever you appoint as your DPO will have their work cut out for them as the world adapts to the GDPR, and must be able to hit-the-ground-running when these regulations come into practice. It may be the small difference between smooth sailing and sudden bankruptcy. It’s also handy to remember that whom ever you appoint as DPO, they must be independent in the performance of their tasks.
They will not only be responsible for making sure your data is compliant, but they must report any non-compliance to the relevant data authorities – essentially making them an internal whistleblower. Understandably this is a very challenging responsibility for the DPO, which makes businesses even more cautious when trying to hire for this role.
Can we hire a 3rd party, like a legal service provider, to handle DPO duties?
Given that this new regulation is still the center of a lot of confusion, some companies are looking at hiring a third party, like a law firm or IT consulting firm, to handle the DPO duties. You can, in fact, legally hire these third parties to handle the duties, but it should be done with caution.
The first problem is that you are adding more people to the mix, which creates more potential breach points for your data, and ultimately may complicate things more. Secondarily, the cost may not be worth it. Often times these types of service providers operate by the hour and your organization may end up paying an obscenely high bill every month. So while this is an option, it is not highly advised.
Whatever you do, don’t delay
However you choose to handle the Data Privacy Officer dilemma, it’s best not to wait until the eleventh hour. Once the GDPR is in full force there will most certainly be a rush on qualified DPO candidates, leading to an inevitable shortage. A recent study from the International Association of Privacy Professionals (IAPP) concluded that 28,000 data protection officers will be needed over the next two years.
Good news for any trained DPO’s out there, but less so for all the companies looking to comply with the GDPR.