The emergence and impact of the Data Protection Officer
According to Forrester, 80 percent of companies likely didn’t comply with the General Data Protection Regulation (GDPR) deadline, and of those, 50 percent intentionally ignored the regulation by weighing the costs and risks.
Many companies either didn’t have time, are ignoring, or are unaware of the true impact of GDPR and how it not only affects systems and processes, but also staffing needs. That said, one of the lesser known mandates of the regulation is the creation of a completely new role: The Data Protection Officer (DPO).
The data protection what?
If you haven’t heard of this before, it’s time to pay attention. This new role is responsible for many critical areas relating to the anonymization and the preservation of personal information collected by a company. The DPO acts as the architect of the procedures by which personal information is collected, processed and stored within the IT infrastructure; ultimately, promoting the adherence to GDPR requirements. And while this may sound straightforward, the intricacies of the position are magnified when you consider the widespread impact of cyber-attacks and data breaches.
DPOs are going to be in high demand, so finding and retaining one will not be an easy task for organizations scrambling to get their ducks in a row. In fact, the International Association of Privacy Professionals estimated that GDPR created 75,000 new DPO vacancies globally. A hybrid cybersecurity and backup expert, the DPO must possess dual jurisdiction and be able to detect the signs of vulnerability or intrusion early enough to protect private data. The GDPR mandates that companies report any violation or breach within 72 hours of the discovery, making a thorough understanding of the legal framework around privacy crucial.
Additionally, the DPO must be up-to-date on amendments to the regulation to make sure the company remains compliant. This expertise comes with a high price and will, undoubtedly, introduce a variety of challenges for midsize organizations that don’t have the budget to hire a full-time, permanent DPO with the complex skillset required.
What will the future of compliance hold?
Many data protection experts believe we’ll see an emergence of compliance-as-a-service models. In this case, a DPO could work with several companies at one time and delegate specific tasks to the IT teams already in place. To control costs, many organizations will likely look to this outsourced type of model to transfer the responsibilities of defining, applying and monitoring practices to an outside firm. However, each company will ultimately still be responsible for its data and must approach this service model with careful consideration. Therefore, it will also be important for IT leaders to consider looking to their data protection provider for advice on the technology necessary to make compliance as painless as possible.
When seeking advice and guidance from either the DPO or a data protection provider, IT leaders should ask:
How to deal with legacy systems: Many legacy systems lack the capability to deliver a comprehensive GDPR solution because they’re oriented around individual data management challenges. So, identifying and phasing out these systems will be critical.
Which new tools to invest in: At the end of the day, there is no single tool that covers all aspects of GDPR. The regulation demands improved data governance, so it’s very important to deploy tools that enable swift personal data identification and easy removal from systems, if needed.
What constitutes personal data: Personal data is defined pretty broadly, and can include personal email, email addresses, and data collected in marketing and typical backup and data protection processes. It will be important to discuss processes and parameters for defining personal data.
What are the best practices for email archiving: Personal data about individuals is shared extensively in emails, which must be produced by an organization if a subject access request (SAR) is made by individuals exercising their right to see their personal data. However, given that more than 60 billion emails are created every day, the potential for compliance violations is substantial. The administrator must have tools provided by an archive solution to identify and remove emails in the event a user withdraws consent. It will also be important to keep and establish processes for maintaining activity logs for audits.
Where data is stored: It’s also important to know where data is stored. For example, when organizations store data of citizens from the EU, it needs to reside in the EU unless an organization has a system in place where customers can grant permission for it be stored elsewhere. This is especially tricky for international companies who may have data centers around the world.
Maintaining GDPR compliance will have to be an ongoing task for organizations and the DPO will play a critical role at companies of all sizes. So, whether a company decides to onboard a full-time DPO or work with one on a part-time basis, it will be imperative to heed their guidance and advice. Working in combination with the DPO and a data protection provider will ultimately lead to compliance success.