If the GDPR (General Data Protection Regulation), the EUs data protection harmonisation project, was to become a Hollywood movie, its genre would most likely be horror. Focus on the regulation over the past twelve months has been mostly aimed toward its penalties, with scare stories in no short supply. The GDPR has been accused of many things; visionary, giver of rights, stress inducer and even destroyer of marketing, but never job creator. Yet, for many aspiring data protection professionals it is precisely that.
The DPO's Grand Entrance
Buried deep in the pages of the GDPR, article thirty-seven gives rise to the creation of a new supervisory appointment referred as a DPO (Data Protection Officer). This mysterious data protection superhero role, a path upon which none have walked before, can be better understood from the following five points:
- Public Authorities Must Appoint - Public Sector Information Security departments will be welcoming a new addition to their team under the GDPR. All public sector organisations, with the exception of the courts, which process the personal information of data subjects must appoint a DPO to oversee processing activities. The courts and in some cases law enforcement are omitted from various parts of the GDPR to counter it becoming a hindrance to maintaining public safety.
- The Role is Optional but Recommended for Most Organisations - There exists an interesting mixture of information available online suggesting that organisations larger than a specified size would encounter a mandatory requirement appoint a DPO. However, this is untrue. The GDPR simply says that a DPO is necessary if an organisations activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale or when processing special categories of data, such as those relating to criminal convictions and offenses. The ambiguity is such that it may be in the best interests of most to consider creating the role for risk-containment purposes even if there is no obvious requirement.
- DPOs Must Have Demonstrable Expertise - From the very beginning of the GDPR's inception, the EU has been resolute in avoiding it becoming a tick-in-the-box compliance activity. The role of DPO is no different, it cannot be nominally assigned to an unqualified member of staff. Instead the regulation calls for DPO's to have expert knowledge of data protection law and practises.
- They Must Be Accessible to Data Subjects – In addition to supervising the data processing activities of the data controller/processor and ensuring its compliance, the DPO is there to exercise the rights of data subjects. The name and contact details of the your DPO must be published on any personal data processing related reports and crucially, on the organisation’s public website.
- Shared DPO's or vDPO's are Allowed – Most small to medium sized businesses across Europe are unlikely to require the services of a DPO on a full-time basis. In recognition of this, the GDPR accepts that DPO's can be shared across organisations so long as their role in each is not compromised or diminished by another. This has already spawned the creation of a new service known as the virtual DPO. A third-party outsourced offering which offers a DPO presence for an agreed number of days per year.
In short, the position of the DPO is intended to place a personified GDPR rule book into organisations which are handling and processing the personal information of data subjects. Rather than have the supervisory authority (the ICO in the UK) attempting to police the enforcement of the regulation, a hierarchy of sorts allows this responsibility to be passed down to each DPO. A one-stop-shop role for all things data protection.
DPO for Hire
For organisations who already have an Information Security Officer, it makes simple sense to merge the roles through additive training, after all there are many nods to the ISO27001 standard in the articles of the GDPR, something your ISO will be already familiar with. For smaller organisations or those who are unsure if they even need DPO services, the flexibility of a vDPO option is a better and more cost effective proposition.
While the negative feelings about the GDPR are subjective, its job creation prospects are not. Expect to see plenty job adverts for data protection officers adorning the websites of recruitment consultants in the years to come. The DPO is here to stay.
(This article first appeared on the Tripwire blog)