The General Data Protection Regulation (GDPR) creates jobs. OK, one job: the GDPR mandates a new formal position of Data Protection Officer (DPO) to preside over 'privacy by design', strategy development, planning and operational resources.
In fact, the GDPR states that all companies over 249 employees must have a DPO, though it's not for certain yet that it must be a full-time role. "A DPO role is not a new one, but it is critical to help businesses comply with GDPR," says Stuart Clarke, CTO, Cybersecurity at Nuix. "The purpose of this role is to bridge the gap between technology and legal departments as well as HR and PR."
There are also suggestions that DPOs will need to be independent of the hierarchy of the company. "The DPO must be independent and is responsible for not only managing compliance within the business, but also reporting non-compliance to the relevant regulator," explains Robert Bond, Partner at the law firm Charles Russell Speechlys. "The DPO is therefore the internal policeman and the whistle-blower at the same time."
This is about a lot more than IT.
Which companies need a DPO?
All public sector organisations and many private sector organisations. "The GDPR does not make it mandatory for all data controllers and data processors to have in place a DPO," explains Lucy Pegler, an associate in Technology, Media and Telecommunications at Burges Salmon. "Where it is mandatory, the targeted organisations are ones that process large volumes of data or particularly sensitive data."
So not all companies will need a DPO, though that doesn't mean they're off the hook. "Even in companies which do not require a DPO, the necessity for someone to take ownership of data is still there," says John Culkin, Director of Information Management at Crown Records Management, who offers an intriguing analogy. "No-one washes their hire car, and similarly without data ownership it is likely that data will not be well maintained."
It will also depend on what other staff are present within an organisation. "Where, in larger organisations, they would work alongside the Chief Data Officer (CDO) who has accountability for all the company's data, the DPO's primary focus with be ensuring personal data is kept private," according to Nigel Tozer, Solutions Marketing Director, EMEA, Commvault. In smaller organisations that do not have a CDO, a DPO becomes even more important.
Why do we need DPOs at all?
Basic compliance with the GDPR, that's why. "Any strategy for managing data privacy requires someone with a holistic view of the whole business who is independent from any one sector of the company," says Yves Le Roux, Technology Strategist for CA Technologies and co-chair of the (ISC)2 EMEA Advisory Council.
As a society we are more dependent than ever on data, and that goes double for business. "It's critical for businesses to get a handle of where their data is, how it is stored, and who has access to it," says Phil Bindley, CTO at The Bunker. "A failure to do this means running the risk of getting hauled in front of the Information Commissioner's Office and a hefty fine." 5% of global annual turnover, in fact. So it's about money?
"This role is critical in today's world more than ever," says Michael Aminzade, VP Global Compliance & Risk Services at Trustwave, who suggests that the current fear over the GDPR and its proposed fines is down to the fact that most businesses never actually complied with previous legislation. "Management teams will become more dependent on this role as regulation continues to tighten while impact and penalties continue to grow in magnitude," he adds.
Since it changes the data landscape in Europe, compliance with the GDPR is also about business success. "The new regulation means that any business that suffers a data breach will be forced to declare it, and they'll be put in the spotlight for all the wrong reasons – leading to a damaged reputation and loss of customers," says Jason Hart, CTO Data Protection, Gemalto. The solution? Appoint a DPO.