GDPR introduces a new job position: The data protection officer

At 99 articles, the General Data Protection Regulation (GDPR) is a daunting piece of legislation. Fortunately, it had the foresight to assign itself an administrator.

Enter the data protection officer (DPO). If you haven’t heard of this new role, you will soon.

A straightforward job description…

GDPR’s Article 39 lays out the requirements for the new job.

The data protection officer shall have at least the following tasks:

• To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this regulation and to other Union or Member State data protection provisions.
• To monitor compliance with this regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
• To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35.
• To cooperate with the supervisory authority.
• To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Whew. There’s a lot to do. But even without GDPR, there’s been an increasing need for additional personnel to handle cybersecurity issues. Last year saw record-breaking data breaches. And just this week, RiskIQ released its CISO Survey of 1,691 US and UK businesses, which showed that 67 percent say they do not have sufficient staff to handle the cyber alerts they currently receive.

The International Association of Privacy Professionals (IAPP) has estimated that as many as 75,000 DPO positions will be required across the globe.

… but the role will likely evolve

Dimitri Sirota, CEO and co-founder of data protection company BigID, said that DPOs will vary from business to business.

“GDPR does not specify precise credentials a DPO must have, therefore different businesses will look for different professional qualities amongst candidates,” Sirota said. “DPOs are responsible for training staff involved in data processing, educating the company and its employees on important compliance requirements and conducting regular security audits, so it is a very expansive role with varying responsibilities. In addition, DPOs operate as the point of contact between the enterprise and any supervisory authorities that oversee data related activities.”

“What we have been seeing in the months leading to GDPR implementation is a focus on independence and overall managerial qualities, and less on one specific skill set. Typically, businesses will default to people with some sort of legal background, and this makes perfect sense due to the extreme legal ramifications companies face in failed compliance,” Sirota said, acknowledging that as time progresses, so will the required skill sets.

“However, as time progresses and businesses become more familiar with compliance requirements and operation, we expect to see this role demand greater data knowledge and aptitude. A highly important skill for businesses to evaluate when hiring a DPO is the ability to communicate with a wide range of audiences with varying levels of legal and data knowledge. In the early going, we can expect a good amount of trial and error in DPO hires, and the skill sets possessed by DPOs keeping businesses in line with GDPR compliance will become those in the highest demand,” Sirota said.

Andy Dale, software company dataxu’s vice president, legal, has taken on the DPO role “knowing we might have to reevaluate just prior to the effective date in May 2018.”

“Prior to the GDPR it was important that this role integrate into the product management and development teams to provide review and sometimes sign-off on how data is used and managed,” Dale said. “After the GDPR, it will become very important. The DPO needs to serve as a layer of independent review and act as the ambassador of data subjects. In my opinion, the most important aspects of this role are: the oversight of privacy impact assessments for higher risk processing activities and the integration of privacy by design principles.”

Dale said that dataxu will create a dedicated DPO office and transition the role to a third party who will “provide independence, but who is deeply expert in the adtech ecosystem. The DPO will be closely involved in the product lifecycle, lead independent review of privacy impacts, provide policy advice and data governance. Creating this third-party independent DPO allows for a stronger implementation of data protection oversight,” he said.

The end user gets a voice

“As a B2B software company, our DPO plays a very unique role in our business,” David Spitz, CMO of customer data platform mParticle, told me. “If marketing represents the voice of the customer, the DPO is the voice of our customer’s customer — the consumer — as it pertains to the ethical use of their data. On any given day, she supports various departmental functions, including legal, product, marketing, sales, engineering and support services, but she does not sit within any one of them.”

“A DPO who is just there to ‘check a box’ on a regulatory requirement will never be successful. The role must be given complete autonomy to address issues and opportunities beyond the letter of the law, and across disciplines,” Spitz said.