The General Data Protection Regulation (GDPR) will be enforced starting on May 25, 2018. One of the requirements of the GDPR is that many companies who handle personal data of EU citizens will need to appoint either an employee or contractor to be their Data Protection Officer.
This role is sometimes mistitled as Data Privacy Officer. The authors of the GDPR consciously call it a data protection regulation and call its champion a data protection officer to emphasize that confidentiality and integrity of personal data are just as important to data privacy as receiving consent to collect that personal data in the first place.
Therefore, coming into the role, the Data Protection Officer (DPO) must have expert knowledge of data protection law and the practices necessary to protect data, because they will be involved with all issues related to protection of personal data. Since often personal data is not (or cannot feasibly be) isolated from non-personal data, the DPO will be involved in the protection of all data in systems that have any personal data.
The DPO must effectively interact with people, because they will be publicly identified as the primary data protection contact for management, employees, suppliers, partners, customers, and the people identified by the personally identifiable information (PII) processed by the company (aka data subjects).
The DPO has responsibility to inform employees of data protection regulations, and monitor the company’s compliance with these regulations and internal data protection policies.
Most importantly, a DPO is key advisor to the company regarding the Data Protection Impact Assessments that are mandated by the GDPR. These assessments evaluate the origin, nature, and severity of risks to personal data, and then recommend the measures, safeguards, and mechanisms for mitigating those risks.
In return, the GDPR requires that a company owes the following protections to their Data Protection Officer:
- The company must allow the DPO to act independently and report to the highest levels within the company, that is, not receive instruction on how they fulfill their tasks and not be penalized for doing their tasks, even if those tasks uncover some inconvenient truths about the company.
- The company must give the DPO the necessary resources to do their tasks, not assign responsibilities to the DPO which present a conflict of interest with their data protection tasks, not assign non-data protection responsibilities to the DPO so broad as to not give the DPO enough time to perform their data protection tasks, and support the DPO’s ability to maintain their expert knowledge.
So, if you want the responsibility of playing defense for a company, then a Data Protection Officer role is for you.
David Znidarsic is the founder and president of Stairstep Consulting, where he provides intellectual property consultation services ranging from IP forensics, M&A diligence, information security management, open source usage management, and license management. Learn more about David and Stairstep Consulting at www.stairstepconsulting.com.
This post was originally published on September 28, 2017.