With 200 pages telling businesses how to handle customer data come May 2018, the EU’s General Data Protection Law has inadvertently created a long list of job openings – 75,000 by some estimates – for those who can responsibly juggle big chunks of data.
One of the many GDPR requirements is the mandatory Data Protection Officer – a self-explanatory job title for a complex role.
Privacy experts at TrustArc point out that the new law will allow organizations to share a DPO amongst subsidiaries or associated business units, or outsource the role.
The International Association of Privacy Professionals (IAPP), another privacy-focused organization, estimates that as many as 75,000 DPOs will be appointed globally in response to the GDPR. That’s 75,000 potential job openings for either someone already working internally with data, or an outsourced / contracted party.
Despite all the GDPR grumbling these days, the Data Protection Officer role has been around for almost two decades. The only difference now is the increased focus, and extra pressure, on having these shoes filled if your business is to collect, route or manage “personally identifiable information” (PII).
So, what does a Data Protection Officer do? The European Data Protection Supervisor, the EU's independent data protection authority, describes the role as follows:
“It is the DPO's duty to ensure in an independent manner the internal application of the data protection rules applicable to the EU institution. This also involves other tasks such as ensuring that controllers and individuals (data subjects) are informed of their rights and obligations, and cooperating with the EDPS at his request or on their own initiative.”
Data-loss prevention firm Digitalguardian offers a more plain-English definition:
“Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.”
Since as early as 2001, the EDPS has established that the DPO’s functions within a given institution include:
Information and raising awareness – inform staff members of their rights, and inform controllers and the institution/body of their obligations and responsibilities;
Advisory function – ensure that the Regulation is respected and advise controllers on fulfilling their obligations);
Organizational function – organize a register of processing operations;
Cooperative function – respond to requests from the EDPS and cooperate with the EDPS at the latter's request or on his/her own initiative (within the sphere of their competence);
Monitoring of compliance – ensure the application of the Regulation within the institution;
Handle queries or complaints – DPO is essentially granted with investigation functions (but not in a mandatory way);
Enforcement – bring to the attention of the Appointing Authority any compliance failures.
Businesses processing “user identifiable information” must have a DPO starting next year or so. The only question remaining is: do you already have an internal resource for the role, or will you have to hunt one down externally?