What would a DPO do?
DPOs will need to know everything about the company's data, from where it's stored, what it is used for and by who, and who the data controller and custodian are. Add knowledge of privacy and security controls, retention timeframes, scheduling data housekeeping and management reporting, along with handling cyber-attacks, and being a DPO certainly sounds like a full-time job.
"Their role is to make sure their company is not the next TalkTalk or Ashley Madison, hit by a major security breach," says Stephen Love, Security Practise Lead EMEA at Insight, though he's not sold on a DPO necessarily being full-time. "These responsibilities could fall with an existing Chief Information Security Officer (CISO) as it is already part of their remit," he says, adding that such an approach could be beneficial for organisations that may not have the extra budget for the new position of DPO.
"While it may seem to have some overlap with the Chief Information Officer (CIO) role, the difference is that CIOs typically don't own the data – rather they focus on the IT assets," says Javvad Malik, Security Advocate at AlienVault.
What would a DPO not do?
A DPO is there to satisfy regulators, not understand and combat threats to data. "A DPO is a person who defines your processes around data protection," says Simon Kouttis, Head of Cybersecurity Practice at executive recruiter Stott and May. "They can often tell you what documentation you need and how to satisfy regulatory requirements [but] they would not have the breadth of knowledge to protect your data." That's the job of the CISO, or other security professionals.
What is 'privacy by design'?
It's a major theme of the GDPR – 'privacy by design' will become integral to all technology projects. "Privacy by design requires every company to put data privacy at the heart of everything from its procurement policies to its BYOD policy, its IT training and the info-security controls it deploys," says Le Roux.
Privacy by design will take such a central role because the IT industry has routinely ignored privacy. "Traditionally privacy and confidentiality have played a low priority role in the development of applications software," says Dave Levy, Associate Partner, Citihub Consulting, citing the slow adoption of DNSSEC and 'https everywhere' as indicators of the reticence of business solutions developers to adopt even standard infrastructure tools.
Will DPOs be successful?
Okay, so companies need to appoint a DPO to set policy on data protection, but will they actually have any power to do anything about it? "Possibly no," says Jes Breslaw, EMEA director of strategy, Delphix. "Data is sprawled throughout an organisation – hundreds or even thousands of production copies sit in development, testing, analytics, reporting and other business units, and data-related processes are defined at the project level with little consistency across the business." It's going to be difficult for most DPOs to enforce their policies.
"The DPO role will be strategic, and capable of building bridges between different organisational silos, such as the CIO, CISO, Chief Data Officer," says Bojana Bellamy, President of Hunton & Williams LLP's Centre for Information Policy Leadership.
When do DPOs need to start work?
The GDPR begins in two years, but the longer companies leave it, the more a DPO is likely to cost. "Salaries will rise the nearer we get to deadline and the suspicion is most companies will wait until the month before implementation to act," says Culkin, who thinks small companies could outsource the role.
"We may well see specialised Data Protection Officers covering several clients," he adds. "The International Association of Privacy Professionals (IAPP) has just published research that shows that 28,000 DPOs will be required to be appointed across Europe. There is going to be a shortage of skilled DPOs!" says Bellamy.
Some will see DPOs as an unnecessary burden on a business, but a more positive outlook is recommended. "Good information security and privacy can be used as a differentiator and help build reputation and grow a business," says Debbie Evans, the Global Legal and Commercial Director at Clearswift. "Regulations might be seen as a real pain, but treating them as an opportunity is the best way forwards to compliance."
As we move into an era of more and more IoT sensors and devices collecting data, more data breaches, and more regulation, the position of DPO will become as important as an accountant. One thing's for sure – the IT industry will be taking personal data privacy a whole lot more seriously by 2018.