The concept of a data protection officer (DPO) has existed for many years but is now, in most cases, a requirement under the European Union’s (EU) General Data Protection Regulation (GDPR), which takes effect in May 2018. Failure to meet its regulatory standards could cost organizations millions in legal fees or even more in noncompliance fines. Depending on the nature of the violation, GDPR penalties can be 2% of global revenue — or roughly $10 million, whichever is greater. At the upper end, fines can range up to 4% of global revenue, amounting to billions of dollars for some organizations.
The scope and magnitude of the DPO role makes it difficult for organizations to determine how to best fill the position
The EU views privacy as a human right, so the role of the DPO both protects business interests and serves as a champion for data subjects (including customers, clients and employees). The law also calls for the DPO to have a reporting line to the “highest management levels” and for full access to the board.
“The scope and magnitude of the DPO role makes it difficult for organizations to determine how to best fill the position,” says Brian Lee, practice leader at CEB, now Gartner. “And organizations don’t have much time to figure it all out.”
Rising regulatory rigor: No more ‘grace period’
Most organizations are hoping for leeway if a good-faith effort toward compliance is underway when the GDPR takes effect on 25 May 2018. But even in the United Kingdom, which is unwinding its ties to the EU, there is not choice but to be ready. Because there has been a two-year ramp-up to the GDPR deadline, privacy experts predict that data protection authorities will be on the lookout for egregious examples of noncompliance and single them out for enforcement immediately.
But organizations still have some room to maneuver.
While only one DPO can be appointed, the role can be supported by a dedicated team
The GDPR requires enterprises under its jurisdiction to hire, appoint or contract a DPO, which offers plenty of flexibility. It further elaborates that while only one DPO can be appointed, the role can be supported by a dedicated team. As long as the DPO is accessible and independent, organizations can choose between an internal or external model, and even a centralized or dispersed team.
Three ways to fill the DPO role
One option for large organizations is to appoint the lawyers they have in every country as members of a dispersed DPO team. A designated DPO, likely from the company’s legal department, would head the team. There are three upsides to this approach. First, the entire team is very familiar with enterprise processes. Second, they already have relationships with local privacy authorities. Third, they can speak the local language, which is critical when it comes to understanding local laws.
The people with the right skills are highly sought after by companies around the world
While a team-based approach and external consultants are both compliant with GDPR, regulators have suggested that it is better to have a DPO on-site as opposed to outsourcing the role, because it suggests the organization is serious about privacy issues.
But it won’t be easy to find someone to fill the role of the DPO. The people with the right skills are highly sought after by companies around the world. After all, the profile of data privacy has risen rapidly over the last few years, yet it takes time to acquire the training and experience necessary to become a seasoned privacy professional. Most organizations opt for one of three choices:
- Hire an external DPO — but organizations need to potentially pay more, given the market demand
- Use third-party advisors, such as consultants and lawyers, to supplement legal teams
- Train existing staff, and help them gain industry-recognized credentials