The requirement to appoint a data protection officer stems from the passing of the General Data Protection Regulation (GDPR) in the UK on May 25th, 2018, which applies to any companies that collect, store, or process personal data from residents of any country in the United Kingdom. Within the GDPR itself, there are clear expectations set for someone before they can even become eligible to be a data protection officer. In this article, we will review the position’s primary functions and five characteristics that aid in success within the role.
In the early days of the GDPR, it was commonplace to find information online stating that an organization’s data protection officer needed to be a lawyer who lived in the United Kingdom with 7 to 10 years of experience in data security and relevant experience within Information Technology. This essentially limited the pool of qualified candidates to a very select group and created a false perception of a shortage of qualified individuals to take on this role.
Although GDPR does emphasize the importance of having a qualified individual take the role of data protection officer (DPO), the requirements are not as set in stone as these specific schooling requirements or hard and fast industry experience standard that was spread around. According to the GDPR, the officer needs to be appointed based on their professional qualifications, expertise, and knowledge of data protection law. Many have cited this as a requirement for lawyers to fill this function. While being a lawyer would yield a robust set of skills given the adequate knowledge and experience with privacy law, it does not mean that it is necessary by law.
One distinction the GDPR makes for a qualified data protection officer is that their experience should be proportionate to the scope of data processing. For example, the requirements for the position in an online retail store would be much less than that of an officer in a company like Amazon. With thousands, if not millions, of user data processed each day, it would make sense that an online retail giant like Amazon would need to have a highly credentialed data protection officer with an expansive team supporting them.
Another misconception of the role is that this position can be shared amongst a team of individuals. While the GDPR suggests and encourages having a team responsible for data privacy and security measures as a whole, it clearly states that the data protection officer needs to be a singular individual. Other supportive roles under the officer are intensely engaged, especially as organizations grow and the scope of data protection increases in size and complexity. Ultimately, the responsibility for these duties needs to fall on one individual.
Responsibilities of the Data Protection Officer
Most of the responsibilities of the data protection officer are as expected, although a few might be a surprise. The officer must report to the company’s executive officers, giving them full authority within their role. It is truly an officer’s role within the company and should not be treated as merely a task to assign someone with other company responsibilities. The officer can have different responsibilities within the company so long as they do not conflict with their primary role as the DPO. Any roles within information technology or revenue-driving goals that could potentially create a conflict of interest should be avoided at all costs.
Your data protection officer needs to be well versed in not only the GDPR but any other pertinent legislation related to data security within your industry. This ensures that your candidate meets the minimum requirements of the GDPR and serves as a resource to your company on all fronts of data security. It is important to note that while these functions are permissible, as the person responsible for data privacy, they cannot possess any duties that create a conflict of interest in performing their role under the GDPR compliance functions.
The chief function of the data protection officer is to be a direct point of contact for the Information Commissioner’s Office. Therefore, this person should be capable of clear, professional communication with their point of contact within the office. Because of this, good communication skills are a significant asset to anyone selected for the role. Having someone who can communicate effectively and professionally is crucial to maintaining a strong relationship with the ICO.
The data protection officer must have the ability to think for themselves. Not reporting to anyone other than the executive team creates a unique level of autonomy for the position that could leave some with a lack of sense of direction. On the other hand, a qualified candidate can think critically and solve pertinent issues as they arise and proactively avoid them.
Literacy within your company’s specific industry is an integral part of being an effective data protection officer. This knowledge gives the individual the necessary insight to make data protection decisions to safeguard your data processes and save your organization thousands of dollars in fines. Industry experience will also give the officer an edge in knowing industry standards and best practices that might not be as clear from an outsider’s point of view. Industry experience does not necessarily have to mean direct expertise in data security but rather a holistic understanding of the essential functions of the industry to mitigate risk and ensure best practices are being followed.
Another beneficial skill for the individual to possess is the ability to teach. It will be the task of the DPO to lead in the implementation of proper employee training and be a resource to employees who have questions regarding continued compliance. Again, this person will serve as the expert in the room, and the emphasis on industry experience and a mastery of pertinent compliance law for your specific industry is essential.
An Overview of the Ideal Data Protection Officer
The role of the data protection officer is a vital role that not only fulfills the requirement of the GDPR but also possesses a plethora of skills to tackle the challenges that come with leading the data security and protection measures of your organization. An effective officer can work independently across multiple business channels and ensure pertinent tasks are completed effectively and efficiently. Another major asset is a robust understanding of industry-leading practices and a knack for fostering solid relationships with appropriate government agencies. All in all, the role of the data protection officer is one that, while only a few years old, has already proven to play a vital role in the success of businesses engaging in data processes that touch the United Kingdom. Ultimately, time will tell how this role will evolve. Still, we can only assume an even higher demand for highly qualified individuals to fill this requirement of the GDPR will continue to grow in the UK and worldwide.
Contributed by Accountable, LLC.
Accountable provides a comprehensive administrative framework to help organizations comply with data privacy regulations such as the GDPR, HIPAA, and CPRA. Their goal is to make compliance simple.