Oussama El-Hilali

The New Kids On The Block: Data Protection Officers

Data Protection Officers

The General Data Protection Regulation (GDPR) is officially here. Yet, organizations are still unaware, are ignoring, or flat out didn’t build in enough time to make sure they met all mandates of this expansive and impactful regulation. One of the lesser well-known requirements is the emergence of a totally new role: The Data Protection Officer (DPO). Organizations are required to (in some capacity) have a DPO on board, but this can be easier said than done.

The right stuff: what to look for in a DPO

Data Protection Officer

The Data Protection Officer (DPO) is sure to be the hot new role for companies operating in the European Union (EU). This individual will be responsible for ensuring anonymity and maintaining the personal information (PI) collected by the company during routine marketing and business practices. The DPO will build and implement procedures for collecting, processing, and storing personal information within the GDPR compliance framework.

The responsibilities of the DPO may appear to be relatively straightforward, but that’s far from the case. The new position is an intricate one and requires dual knowledge of cybersecurity and legalities. That said, individuals that possess this unique skillset are going to be in high demand. So much so that the International Association of Privacy Professionals predicted there are 75,000 new GDPR vacancies around the world. The DPO must also keep up to speed with amendments to the regulation, especially within the first 6 months of its enforcement. This level of expertise will no doubt come with a high price tag, which could present challenges for midsize organizations with limited wiggle room in their budgets.

Keeping the neighborhood safe

Due to the high cost of such advanced expertise, many experts are predicting that we’ll see a rise in compliance-as-a-service models in which a DPO would instruct the IT teams of several companies. This could be a cost-effective solution for many organizations who don’t have the available budget or resources to bring on an in-house DPO. However, each company will still be responsible for its data, so they must approach this outsourced model carefully. It will also be important for enterprises to seek advice from their data protection providers, as they can advise on which technology can help maintain compliance continuously.

So, how should an organization work with both their DPO and data protection provider to make sure they remain in regulators’ good graces? IT leaders should seek guidance on:

  • Phasing out old IT architecture: Legacy systems are often oriented around individual data management, so they lack the necessary features to provide a GDPR solution. Finding and removing these systems will be very important.
  • Where to spend money on new tools: Currently, there isn’t one tool, solution, or service that can protect and maintain compliance for every single aspect of GDPR. That said, companies need to make sure they’re investing in an effective suite of tools that enable improved data governance.
  • Defining personal data: In the GDPR, the phrase “personal data” is loosely defined. It can include everything from emails and email addresses, to information gathered during routine marketing and business activities. Setting an organizational guidance on what classifies personal information will be key.
  • The importance of email archiving: More than 60 billion emails are generated each day, so the potential for a compliance violation is massive because of the amount of personal information exchanged in emails. If there is a subject access request (SAR), the systems administrator must be able to identify and remove emails if a user withdraws their consent. Establishing set processes for producing and maintaining activity logs will also be important, especially in the event of an audit.
  • Keeping tabs on data: When companies store data of EU citizens, it needs to be held in the EU unless the user has provided consent for it be stored elsewhere. Unless a company has a system in place for acquiring this consent, it’s not likely a user has allowed them to store their information in another part of the world. This will be tricky for organizations with storage centers in different continents, so it’s going to be very important to establish a process for understanding where user data is stored.

There are many aspects of GDPR that are subject to interpretation, so organizations need to listen to and implement the advice from both their DPO and their data protection providers. Working with both is the best way to assure continuous compliance, even as amendments are made to the regulation and the technology landscape continues to change.

By Oussama El-Hilali, VP of products at Arcserve

Oussama El-Hilali

Oussama has nearly 25 years of IT and R&D experience driving and achieving product strategy and roadmaps, acquisition of new technology, and developing strategic business partnerships in both Fortune 100 and emerging companies. At Arcserve, he is responsible for managing product development.

View Website

CONTRIBUTORS

Organizational Transformation: Taking The DevOps Dive

Organizational Transformation: Taking The DevOps Dive

Taking The DevOps Dive The Gartner IT Glossary defines DevOps as “…a change in IT culture, focusing on rapid IT service delivery ...
Two 2017 Trends From A Galaxy Far, Far Away

Two 2017 Trends From A Galaxy Far, Far Away

Reaching For The Stars People who know me know that I’m a huge Star Wars fan. I recently had the ...
The IoT-Connected Car of Today - Cases From Hertz, Nokia, NTT, Mojio & Concur Technologies

The IoT-Connected Car of Today – Cases From Hertz, Nokia, NTT, Mojio & Concur Technologies

The IoT-Connected Car of Today Imagine a world where your car not only drives itself, but also says intelligent things ...
Gartner’s Hype Cycle for Emerging Technologies, 2017 Adds 5G, Edge Computing For First Time

Gartner’s Hype Cycle for Emerging Technologies, 2017 Adds 5G, Edge Computing For First Time

Gartner’s Hype Cycle for Emerging Technologies Gartner added eight new technologies to the Hype Cycle this year including 5G, Artificial ...
Opportunities and Pitfalls When Hiring a Chief Data Officer

Opportunities and Pitfalls When Hiring a Chief Data Officer

The Chief Data Officer As part of their digital roadmap, organizations are increasingly taking advantage of big data and making ...
The Shift from Monolithic to Microservices: What It Means for CTOs.

The Shift from Monolithic to Microservices: What It Means for CTOs.

The Shift to Microservices The shift in application development strategies is moving from monolithic design to isolated and resilient components ...
It’s Not Digital Transformation; It’s Digital “Business” Transformation – Part II

It’s Not Digital Transformation; It’s Digital “Business” Transformation – Part II

Previously in Part I “It’s Not Digital Transformation; It’s Digital “Business” Transformation – Part I” we introduced two fundamental digital ...
CloudTweaks Q&A: How Smart Will Your City Be by 2025?

CloudTweaks Q&A: How Smart Will Your City Be by 2025?

How Smart Will Your City Be by 2025? What role does back end infrastructure play in connecting IoT devices? Probably ...
The Cloudification of Healthcare: Benefits and Risks

The Cloudification of Healthcare: Benefits and Risks

Cloud Healthcare: Benefits and Risks Many organizations are moving most of their business-critical applications and workloads to the cloud. The ...
The Path to the Cloud: A Look at Different Approaches to Cloud Migration

The Path to the Cloud: A Look at Different Approaches to Cloud Migration

Different Approaches to Cloud Migration The public cloud has gained considerable momentum this past decade. Concerns about cost and security ...