Data Protection Officers: Who they are and what they do
Do people care about what data companies collect, how they store it, and what they do with it?
Of course they do! It’s been hotly debated for years and now, with the Facebook – Cambridge Analytica news all over the media, things are getting even more serious.
In many ways, it all sets the stage for the European Union’s upcoming General Data Protection Regulation (GDPR) that replaces the 1998 Data Protection Act and “transforms” how most of the companies, in the EU and outside, do business online.
Most importantly, the reach of the GDPR goes way beyond the 1998 regulation, affecting companies dealing with customers in the EU.
The new framework also has implications around consent, accountability & privacy by default, notification of a data breach, sanctions, and enforces the “right to be forgotten”.
To comply with them and to make sure your business crosses all the t’s and dots all the i’s when it comes to managing data, you need to hire a data protection officer (DPO).
Although the GDPR only requires that public authorities and certain companies processing personal data on a large scale have a DPO, others should consider hiring a DPO too.
— ICO (@ICOnews) December 7, 2017
Job description (on paper)
The DPO, a position created by the GDPR in Chapter 4 (“Controller and Processor”), Section 4 (“Data protection officer”), has its designation, position, and tasks outlined in Articles 37, 38, and 39.
If you take a look at the job description of the DPO, or as the GDPR calls it, the list of tasks the DPO is required to perform, you’ll notice the critical role they play in helping your business comply.
Here is a snippet from Article 39 to help understand the extent and scope of the role:
To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions.
To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data.
To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant.
To cooperate with the supervisory authority.
To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.
According to the International Association of Privacy Professionals (IAPP), as many as 75,000 DPO positions will be required across the globe.
— Daniel Newman (@danielnewmanUV) March 4, 2018
At your firm, aside from fulfilling their statutory duties, your DPO could help train your employees and ensure they’re sensitized to the fact that the organization collects data – which is sensitive, private, and valuable.
The DPO also has a say in your firm’s cybersecurity protocol. Not only can they strengthen it, but can also help you establish one that’s in line with best practices for your industry.
Further, since your DPO is statutorily required to report your organization to the GDPR’s enforcing body, you’re more likely to be held accountable and less likely to feel like you can neglect the provisions of the law.
And finally, a DPO will give your clients more confidence – especially if you work with enterprise-grade or institutional clients who themselves need to comply with GDPR.