Top qualities you need in GDPR Data Protection Officer (DPO)

The EU General Data Protection Regulation (GDPR), to become law May 25,2018, requires many companies to create a new position, that of the Data Protection Officer (DPO). This person needs to be highly connected, highly effective and highly accessible.

  • Does your company need a DPO?
  • What are the responsibilities of the DPO and of the company?
  • What qualities and capabilities should you be looking for in a DPO?

GDPR is the most sweeping and broadly-impactful regulation to hit in a long time. It is complex—being comprised of 99 articles—and the fines for non-compliance are stiff—up to 4% of global revenue or 20,000,000, whichever is higher.

While there are potentially some very nice upsides to GDPR if you take the long view—greater consumer trust, easier sharing of information within the system—analysts across most industries anticipate a period of upheaval while companies bring themselves into compliance.

As with any new law, it is untested; definitions of some key phrases have not been provided or have yet to be tested in the courts. Attorneys will be arguing key points for years until we establish a good understanding of much in GDPR.

But don’t think that just because you do not operate in the EU, GDPR does not apply to you. If your company has data on any citizen of the EU, regardless of where your company happens to be, that data happen to be or where that citizen happens to reside, GDPR still applies to you. If you are a company based in Zimbabwe, storing data in the U.S. on Azure servers, about a person that is living in China, but that person is a citizen of Norway, GDPR still applies to you

But let’s start with what we know so far, just from what GDPR says in the text itself.

(If you have any responsibility for regulator compliance for your company, I recommend that you go read key Articles of GDPR yourself; they are surprisingly straightforward… One great resource is EUR-Lex which provides the source text all EU Law in 24 languages, but as it has pretty much everything, it is a bit challenging to navigate. EUGDPR.org and Privacy-Regulation.eu are a bit more readable and searchable.)

Does your company need a DPO?

GDPR Article 37 states that the company “shall designate a data protection officer”, where: “core activities” consist of processing “special categories of data” on a “large scale”.

Well that sentence is just full of phrases begging for definition:

  • core activities – This is not well defined. But EU attorneys that are currently blogging on the subject are leaning toward interpreting this broadly. So even if you track user activity on your website to better provide services or advertising, that is likely to be included.
  • special categories of data – This one is pretty well defined in Article 9, but to sum up: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
  • large scale – No one agrees on this. So legal bloggers are recommending this be treated very conservatively and that if you store the personal data on any customer, you should designate a DPO. Time—and court opinion—will clarify this point

So go work through Article 37 with your attorney. If a regulator audits you and concludes that you should have a DPO and you do not, you may be subject to administrative fins under GDPR, 2% of global revenue or 10,000,000, whichever is higher. [Article 83]

A couple of points to make having a DPO easier however:

  • A group of undertakings may appoint a single DPO, provided that a DPO is easily accessible from each. If you have a group of related companies or are the parent corporation for a number of child companies, you can have one DPO
  • The DPO is permitted to be a 3rd party. I anticipate law firms and cyber security companies in the EU standing up outsourced DPO capabilities. Such offerings may be particularly attractive to smaller and medium-sized businesses.

What are the responsibilities of the DPO and of the company?

Per GDPR Article 38, the DPO “shall directly report to the highest management level” of the company.

Proper visibility and reporting structure has been the bane of the Information Security industry for years. When the CISO reports multiple levels down, sometimes below the CIO (direct conflict of interest) or even further down in the organization, security has no voice to senior management. That is what has lead the world to where we are now with breaches being reported every few days. The priority has just not been there. Well GDPR is having none of that. The DPO must report to the CEO, President or Board. That level. No burying this issue.

And even more than that, “organizations shall support the DPO by providing resources necessary to carry out required tasks and to maintain his or her expert knowledge”

So the DPO must be properly funded, staffed, and trained. What!? We spent years ignoring this for security, but it now looks like they are going to require that things be done the right way. Which is great for security as well. One interesting definition of Security is “the technical and procedural methods for ensuring Privacy”.

GDPR Article 39 lists the core responsibilities of the DPO:

  • to inform and advise the controller or the processor and the employees who carry out processing of their obligations
  • to monitor compliance with the GDPR
  • to act as the contact point for the supervisory authority on issues
  • also, data subjects must be able to contact the DPO to report issues and have them resolved [Art. 38]

What qualities and capabilities should you be looking for in a DPO?

  • A person with deep experience in your organisation and what it does
  • A person with deep experience in privacy/regulatory frameworks
  • A person with polish and credibility with the board, CEO, and regulators
  • A person approachable by and supportive of the data subjects
  • A person that understands security technology well enough to drive privacy improvement initiatives

So… pretty much you are looking for a unicorn.

The likely source of the first round of DPOs:

Most organizations are likely going to designate a senior resource that knows your business well and has regulatory experience--someone from general management, legal, audit, etc.—a person that has *most* of the qualities necessary.

Be honest in your evaluation of the skill set of your new DPO. We as an industry are going to have to support that person.

New DPOs will need fresh information, skills and tools to cover those elements they do not already possess, as will staff members supporting the DPO.

EXIN is here to help.

 

Quinn R. Shamblin

Chief Examiner for EXIN’s Privacy and Data Protection Portfolio

CISM, CISSP, ITIL, PMP, GCFA

Quinn Shamblin