What to Look for in Your GDPR Mandated Data Protection Officer
The European Union’s General Data Protection Regulation (GDPR) requires the designation of a data protection officer (DPO). With the GDPR having gone into effect last May, we trust if you’re on the hook for GDPR compliance you’ve already done this.
Data protection is, of course, never-ending. And while there haven’t been a sea of major GDPR-related fines and resolutions, the regulators are not sitting still. In fact, on July 8, the British Information Commissioner’s Office (ICO) posted a notice of its intent to fine British Airways $205.7 million for GDPR infringements. According to ICO officials, the incident in part involved user traffic to the British Airways website being diverted to a fraudulent site, where cyberattackers harvested the personal data of approximately 500,000 customers.
The first major victim was France’s $56.5 million charge against Google in January for violating GDPR in the areas of (1) obligations of transparency and information, and (2) having a legal basis for ads personalization processing. According to a report from the European Data Protection Board, regulators in 11 European countries have issued around $63 million in fines related to GDPR violations.
Is your DPO living up to the designation requirements set in Article 37 of the GDPR? What kinds of skills and traits should the DPO have?
Knowledge of Law and the Organization
A DPO should have a deep understanding of both the law and the organization, said Victoria Beckman, co-chair of Frost Brown Todd’s privacy and data security team. Some of the tasks of the DPO, she added, include assessment of risk, training of employees and advice to the organization. “Knowing the law alone is not sufficient to understand how to balance legal compliance with the requirements of a particular business,” she said.
Great Communication Skills
The DPO is also the face of the company in front of the GDPR supervisory authorities. That said, the DPO needs to have the ability to advocate and present his or her ideas in a concise but effective manner, according to Beckman. “This requires organization, cultural understanding and the ability to negotiate,” Beckman said. “Organizational skills are required to ensure a smooth documentation process, compliance with internal procedures and even timely response and notification in case of a data breach.”
An Understanding of Different EU Cultures
Cultural understanding is also critical, Beckman said, because the DPOs may be dealing with the idiosyncrasies of subjects in different EU countries. “Similarly,” she added, “the ability to listen and compromise when needed to achieve solutions that are compliant with the law but that also respect the company’s culture and operational challenges are vital.”
A good DPO will possess many of the same skills as a good CEO, according to Aaron McKee, CTO at Blis. This means the DPO must have the ability to craft and execute a vision in an environment with significant ambiguity and a “militant ability to focus and prioritize.”
Because the GDPR is fairly new, McKee added, a DPO will need to make clever guesses in many areas in a way that “balances the risk of getting the decision wrong and running afoul of the regulators against the risk of excessive conservatism making the business uncompetitive.”
Create Privacy by Design
Daniel Raskin, CMO at Kinetica, said the DPO must work closely with the business’s management and IT to embed privacy into the core products and operations of the business. Without the backing of IT and fulfillment infrastructure-related needs, it will be a very long road for DPOs. A DPO likely won’t make the technology decisions that help with data protection and management, but will need a seat at the table alongside IT.
Culture of Data Respect, Evangelism
The DPO must build a culture that respects data privacy as a first principle, empowering employees to make data protection decisions early and often across processes and products, Raskin said. “The DPO is at the forefront of the data-driven Fourth Industrial Revolution,” Raskin said. “Their responsibility is to champion data protection within the company as well as in the public forum because the standards set now will impact consumers as well as corporations for years to come.”
Click here to read the original article.