So, You Want to Be a Data Protection Officer

So, You Want to Be a Data Protection Officer

The General Data Protection Regulation (GDPR) will be enforced starting on May 25, 2018. One of the requirements of the GDPR is that many companies who handle personal data of EU citizens will need to appoint either an employee or contractor to be their Data Protection Officer.

This role is sometimes mistitled as Data Privacy Officer. The authors of the GDPR consciously call it a data protection regulation and call its champion a data protection officer to emphasize that confidentiality and integrity of personal data are just as important to data privacy as receiving consent to collect that personal data in the first place.

Therefore, coming into the role, the Data Protection Officer (DPO) must have expert knowledge of data protection law and the practices necessary to protect data, because they will be involved with all issues related to protection of personal data. Since often personal data is not (or cannot feasibly be) isolated from non-personal data, the DPO will be involved in the protection of all data in systems that have any personal data.

The DPO must effectively interact with people, because they will be publicly identified as the primary data protection contact for management, employees, suppliers, partners, customers, and the people identified by the personally identifiable information (PII) processed by the company (aka data subjects).

Register Now - Webinar: GDPR and Open Source: Best Practices for Security and Data Protection

The DPO has responsibility to inform employees of data protection regulations, and monitor the company’s compliance with these regulations and internal data protection policies. 

Most importantly, a DPO is key advisor to the company regarding the Data Protection Impact Assessments that are mandated by the GDPR. These assessments evaluate the origin, nature, and severity of risks to personal data, and then recommend the measures, safeguards, and mechanisms for mitigating those risks.

In return, the GDPR requires that a company owes the following protections to their Data Protection Officer:

  • The company must allow the DPO to act independently and report to the highest levels within the company, that is, not receive instruction on how they fulfill their tasks and not be penalized for doing their tasks, even if those tasks uncover some inconvenient truths about the company.
  • The company must give the DPO the necessary resources to do their tasks, not assign responsibilities to the DPO which present a conflict of interest with their data protection tasks, not assign non-data protection responsibilities to the DPO so broad as to not give the DPO enough time to perform their data protection tasks, and support the DPO’s ability to maintain their expert knowledge.

So, if you want the responsibility of playing defense for a company, then a Data Protection Officer role is for you.

David-Znidarsic-Corporate-Photo-200x300.jpg

David Znidarsic is the founder and president of Stairstep Consulting, where he provides intellectual property consultation services ranging from IP forensics, M&A diligence, information security management, open source usage management, and license management. Learn more about David and Stairstep Consulting at www.stairstepconsulting.com

 

 

 

 

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Assume Every Application is a Cloud Application

| Dec 7, 2017

We feel the need to label applications as either on-premises or cloud. We try to assure ourselves that an application categorized as on-premises will not send or receive data over a public network, and an application categorized as cloud will not install client resources. Sending and Receiving

| MORE >

Assume Every Application is an On-Premises Application

| Nov 14, 2017

We feel the need to label applications as either on-premises or cloud. We try to assure ourselves that an application categorized as on-premises will not send or receive data over a public network, and an application categorized as cloud will not install client resources.  The Silent Reality

| MORE >

What Job Are You "Hiring" Open Source Software Authors to Do?

| Oct 23, 2017

In the book “Competing Against Luck,” Clayton Christiansen states that when a customer buys a product, they have “hired” that product to do a job (and by association, hired that product’s author to do a job). He speaks of this in the context of commercial products, like when you buy tangible

| MORE >