You better hurry up and hire your data protection officer (DPO) for the EU’s General Data Protection Regulation (GDPR), because demand is about to soar.
The International Association of Privacy Professionals (IAPP) estimates that the number required in Europe alone will be at least 28,000. Like any commodity, scarcity increases the price; and DPOs are rare indeed.
Organizations are required to appoint a data protection officer when they are: a) A public body. B) Their processing operations require regular and systematic monitoring, c) They have large-scale processing activities, especially with special categories of personal data (race, religion, political opinion, etc.).
"Large scale" does not necessarily mean hundreds of thousands of data subjects, either, according to Gartner; earlier drafts of the rule mentioned the processing of data on more than 5,000 subjects in any 12-month period.
“To be clear, a DPO primarily assists in being GDPR-compliant. He or she will point out the proper controls and forms, but does not create that privacy-proof enterprise culture. That's what awareness programs are for,” said Gartner.
The consultants make the following recommendations:
1. Hire a data protection officer now, regardless of legal necessity, and follow guideline requirements for the position. Whether an employee or provided "as a service," determine which option best fits your organization.
2. Provide a platform in your business for the DPO. Ensure cooperation with security experts to flawlessly integrate awareness campaigns and architecture decisions. Ensure that business management knows how to contact the DPO.
3. Define personal data for your organization and communicate this via privacy training.
As we have said before, a DPO has to be a jack-of-all-trades; an expert in data protection and law, a key communicator between the C-suite and staff, and a leader capable of turning compliance issues into business opportunities.
The DPO will need to possess four important skill sets: the ability to “talk tech,” an understanding of the EU legal system, be a C-Suite communicator, and a people leader.
The pressure is on; hire your DPO as soon as possible to get a head start on the regulation. Once you have found someone hang on tightly; he or she can push your organization to make the most out of GDPR, using it as an opportunity for change and collaboration.
Check out the Gartner white paper.