Get to Know the DPO: Under GDPR, You May Need One - InformationWeek
IoT
IoT
Blogs
Commentary
8/3/2017
07:00 AM
Thomas Fischer, Global Security Advocate, Digital Guardian
Thomas Fischer, Global Security Advocate, Digital Guardian
Commentary
50%
50%

Get to Know the DPO: Under GDPR, You May Need One

Getting ready for GDPR now will allow ample time for testing and assessing the new protocols, hiring the right data protection officer and ensuring they are operating effectively.

When the EU General Data Protection Regulation (GDPR) takes effect globally on May 25, 2018, more than 9,000 U.S. firms will be required to hire a Data Protection Officer, or DPO, to ensure its strict data protection regulations are met.

The DPO will be responsible for educating the company and its employees on the important requirements of GDPR, training staff involved in data processing, and conducting regular security audits. DPOs will also serve as the point of contact between the company and any supervisory authorities that oversee activities related to data collection or processing.

Considering that this a brand new role for organizations, executive teams and board members will have to ask themselves a few very important questions.

Will my organization need to hire a DPO?

All public organizations (government agencies or other entities) will be required to appoint a DPO under GDPR, as will any organization processing data requiring systematic monitoring of subjects on a large scale – or processing special categories of sensitive personal data such as health, religion, race, sexual orientation, and personal data relating to criminal convictions and offenses. Generally, a DPO will be required if the company processes and manipulates personal data – e.g. banks, healthcare, credit companies – but not if it only has HR data.

Does the DPO need to be a member of my organization?

Bringing on a DPO may be a sound decision whether your organization is required to have one or not. They don’t need to be members of the organization, but the expertise of any external DPO must align with a business’ data processing operations and the level of data protection required for the personal data processed by data controllers and data processors.

What skills are needed for the role?

Finding someone with the right blend of experience will be challenging. The role will require a rare combination of skills including an understanding IT, operations, data security, data protection laws and practices, and the ability to promote a data protection culture within the organization. Think of the DPO as a free safety in football – someone who can combine expertise from the Chief Compliance Officer along with certain skills of a CISO or CTO. Finding the right fit may take time, so organizations should consider a candidate who comes close to fitting the bill, then helping them close the gaps with the proper certifications and training in advance of the GDPR enforcement date.

How do I find the right DPO?

Organizations should start evaluating potential DPO candidates now to determine if they meet the requirements while being a valuable addition to the GDPR stakeholder team. First look for candidates already working within the organization, as they will have the best understanding of the business. Your DPO will want to conduct a visibility assessment to best understand risk exposure and prioritize compliance efforts. He or she will need to understand the company’s existing data sources and examine what types of personal data – particularly GDPR-regulated data – is being collected, handled and stored.

What else do I need to know?

Whatever technologies are implemented to support this effort, it will be imperative to first understand how they enable personal data to be processed. Then controls must be placed around that data – e.g. implicit consent (opt-in), the right to be forgotten, transparency, pseudonymisation and data portability – as end users have the right to receive documentation of how their personal data is being used and stored. Additionally, use of the data can be audited and shouldn’t be different than what the user opted in for. If usage changes, a company must notify the user and allow them to opt-out.

GDPR was crafted to be intentionally nebulous in how it prescribes solutions or technologies to achieve the necessary data controls and protection. The legislation was designed to be flexible in how it requires organizations and their DPOs to comply with its technology mandates. They kept things a bit open ended to best accommodate new and emerging technologies, like cloud-based systems, IoT and machine learning, which didn’t exist when previous data protection regulations were established. Unfortunately, this leaves many companies lacking guidance as to what technologies can help them get in step with GDPR’s requirements.

While May 25, 2018 might feel far off, getting ready for GDPR now will allow ample time for testing and assessing the new protocols, hiring the right DPO and ensuring they are operating effectively. Aligning your business to GDPR may seem like a daunting task, but hiring the right DPO can help the organization prevent potential financial and regulatory consequences down the line.

Thomas Fischer
Thomas Fischer

Thomas Fischer is a global security advocate at Digital Guardian, where he plays a lead role in advising customers, investigating malicious activity and analyzing threats. With more than 25 years of experience, Thomas has a unique view on security in the enterprise with experience in multiple domains from risk management and secure development to incident response and forensics. During his career, Thomas has held varying roles from incident responder to security architect for fortune 500 companies, as well as industry vendors and consulting organizations.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll