The European Union’s sweeping new General Data Protection Regulation goes into effect six months from now. Most ethics and compliance officers in the United States already know that, and most are responding with some degree of concern or alarm.
Today we’re going to focus your alarm on one particular concept in the GDPR: the data protection officer (DPO).
Under Article 39 of the GDPR, most large organizations either doing business in Europe or collecting information about EU citizens will need to designate a DPO. Yes, that person can be an employee already at your business, or a “freelance” DPO working on a contract basis.
Still, exactly what is a DPO supposed to do? And how can companies identify the right DPO for their own organization—including the possibility that the compliance officer ends up as DPO? (Because you have so much free time, after all.)
To get a better sense of those issues, this month I conducted an interview with Amanda Gratchner, former Global Privacy Officer & Senior Counsel at NAVEX Global. You can listen to the full interview below (15 minutes). Meanwhile, my key points from our conversation are below.
First, the key word here is protection, not privacy.
I touched on this in a related post last month: that GDPR compliance is really about ensuring that your company’s data collection and processing practices allow EU citizens to exercise the rights to their personal data that the GDPR itself spells out.
DPOs must be ready to deal with regulatory authorities inquiring about your GDPR compliance; to manage privacy risk assessments; to handle inquiries from people asking about their PII
That perspective informs a lot of what DPOs are actually supposed to do, which goes well beyond slapping data security controls on Personally Identifiable Information floating around your enterprise. DPOs must be ready to deal with regulatory authorities inquiring about your GDPR compliance; to manage privacy risk assessments; to handle inquiries from people asking about their PII (“data subjects,” in GDPR vocabulary).
This is not a job about data security and privacy. This is a job about fostering business processes so that your company can be a good steward of data EU citizens entrust to them.
Second, support and sourcing for the DPO function are crucial.
The GDPR doesn’t offer much detailed advice on how to structure the DPO role. The person has no specified location on the org chart. You might even have multiple DPOs operating among several separate business units, who then report to some global head of privacy or data protection, who answers to the CEO.
It’s more accurate to say the GDPR defines several traits a successful DPO must have. Answering to the highest levels of the organization is one. Adequate resources to fulfill his or her job is another. The person must also have adequate expertise in privacy law, security and business process management.
In other words, corporations will not be able to give the DPO short shrift and stay in EU regulators’ good graces. Compliance officers can appreciate that point quite a bit.
Lastly, others will need to respect this person.
Our second point above gets to the heart of GDPR compliance: not just whether your company takes the law seriously, but whether it takes data protection seriously. The DPO, whomever he or she might be, will need respect from operating business units (the so-called First Line of Defense) as much as from the risk management functions (the Second Line of Defense).
So in addition to a DPO with expertise and resources, the company will need to review the rest of its control environment, too: messages from senior management about the importance of data protection; training for employees; discussion of “privacy by design” when operations executives cook up a new idea or business process that could make a bundle.
Yes, the DPO will be a leader in the team effort on privacy and GDPR compliance. But you’ll still need the rest of the team.