Tackling GDPR Challenge #5: The Data Protection Officer – Is There an Officer, Problem?
The last installment of our Top Challenges of GDPR series provides guidance for designating a data protection officer and setting them up for success.
Welcome to the 6th, and final, installment of our series on the top challenges to meeting the upcoming GDPR data protection standards. Today’s discussion is on the requirement that certain organizations appoint a data protection officer (DPO) to be the monitor for GDPR and any other applicable data protection laws. In organizations where personal data is part and parcel to their business, someone may already be in a role similar to this, but the GDPR puts further responsibilities on this role in exchange for some semblance of job security. The regulation states, “…He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks.”
There are terms that determine which businesses need a DPO and those that can do without, though for businesses that are on the cusp or are unsure if they quality, the best practice would be to appoint a DPO. Early drafts of the GDPR stipulated a 250-employee minimum before a DPO was needed, but the approved version removed this threshold. The requirements for which organizations need DPOs rely more on the level of risk, which seems logical, rather than an arbitrary employee minimum that could be gamed to avoid this issue. The three tests for needing a DPO are as follows:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
The conjunction “or” between those terms broadens the standard to the point that more businesses will need to pay attention to GDPR.
What makes this challenge difficult?
Starting with the most obvious: the staffing shortage. The infosec community is already battling a talent shortage and the addition of a mandated role that requires security expertise will place additional stresses on this. A study from the IAPP in April of 2016 estimated that there are at least 28,000 data protection officer roles to be filled in order to achieve compliance by the May 25, 2018 GDPR enforcement date. An unfilled security role today represents a potential risk, an unfilled data protection officer role in 1 year represents a compliance violation.
Next is the immediate need to have someone in this position; essentially today. GDPR is a broad and challenging regulation; the operational, organizational, and technical changes will not happen overnight. Having someone act as the single point of contact for GDPR will drive accountability for all these required changes. The sooner a DPO is in place, the better, but refer to the previous challenge of staffing shortages being the norm.
The organizational changes required to create a central role and the power shift that will occur with a DPO in place are two tightly linked challenges. In many organizations, the DPO will represent a new way of thinking about security. He or she will need to ensure that the business thinks and acts in a manner different than in the past. Data protection must now be a top priority. This new role also gets an immediate seat at the executive table:
“The data protection officer shall directly report to the highest management level of the controller or the processor.”
This power shift may cause concern for those used to the status quo; undoubtedly some will feel that a new role was given this seat without earning it, despite whatever level of technical and business acumen he or she brings to the role.
The DPO shall be involved “…in all issues which relate to the protection of personal data.” This central role means that the business must put steps in place to ensure he or she is positioned for success. It means staffing and budgets will be altered to ensure GDPR can be met “by providing resources necessary to carry out those tasks…”
How do organizations tackle these challenges?
Many orgs need the role filled today. Organizations can appoint an existing employee as DPO, but it may change their responsibilities and it may also require them to be at the forefront of the data protection process versus working behind the scenes. Getting the right person for the role is the ultimate “people” challenge.
From a process standpoint, the business needs to define the role and create the “job description” for this person. Do they need a doer or a planner? Is the DPO a deep technical expert or is he or she more comfortable relying upon a business focus to succeed? The DPO needs to report to the highest level; is this a process change from today? If so, how will the business integrate this senior role into the company and the executive team?
To set this person up for success, businesses will need some technology to support these people and process changes. Some of these technologies may already be in house and will just need to be tailored for GDPR, while other businesses may need to invest in new technologies. The three key areas for a DPO to focus are visibility, analytics, and controls.
- Visibility – The DPO needs to know where all the GDPR data lies in both the on-premises infrastructure and in cloud storage. Data discovery will be instrumental in setting the baseline for the GDPR program.
- Analytics – Once it is located, watching how and where GDPR data moves is the second part of the story. The DPO needs to understand what is happening with the data; is it following the proper procedures or are employees using potentially risky or non-compliant methods to get their jobs done? The analytics will show how this data moves.
- Controls – Once the DPO has identified GDPR-regulated data and watched it move, he or she can use controls as needed to stop potential violations and educate users at the time of their actions to change behavior. For example, if personal data is moving to webmail, technology can either block this action or enforce encryption as needed.
The data protection officer requirement in the GDPR ensures that a single person is in place to be the data protection champion. He or she is given a seat at the executive table, but to be successful, business-wide support is critical. To learn more about the other top GDPR challenges and the steps required to address them ahead of the May 2018 GDPR deadline, watch our webinar on demand.
Read more in our Top GDPR Challenges series
- The Top 5 GDPR Challenges: Accelerating your Path to Compliance
- Tackling GDPR Challenge #1: EU Residents are The New Data Owner
- Tackling GDPR Challenge #2: Treat Others’ Data as You Would Your Own
- Tackling GDPR Challenge #3: The 72-Hour Notification Requirement
- Tackling GDPR Challenge #4: Privacy by Design and Default
- Tackling GDPR Challenge #5: The Data Protection Officer – Is There an Officer, Problem?