The New Kids On The Block: Data Protection Officers

Data Protection Officers

The General Data Protection Regulation (GDPR) is officially here. Yet, organizations are still unaware, are ignoring, or flat out didn’t build in enough time to make sure they met all mandates of this expansive and impactful regulation. One of the lesser well-known requirements is the emergence of a totally new role: The Data Protection Officer (DPO). Organizations are required to (in some capacity) have a DPO on board, but this can be easier said than done.

The right stuff: what to look for in a DPO

Data Protection Officer

The Data Protection Officer (DPO) is sure to be the hot new role for companies operating in the European Union (EU). This individual will be responsible for ensuring anonymity and maintaining the personal information (PI) collected by the company during routine marketing and business practices. The DPO will build and implement procedures for collecting, processing, and storing personal information within the GDPR compliance framework.

The responsibilities of the DPO may appear to be relatively straightforward, but that’s far from the case. The new position is an intricate one and requires dual knowledge of cybersecurity and legalities. That said, individuals that possess this unique skillset are going to be in high demand. So much so that the International Association of Privacy Professionals predicted there are 75,000 new GDPR vacancies around the world. The DPO must also keep up to speed with amendments to the regulation, especially within the first 6 months of its enforcement. This level of expertise will no doubt come with a high price tag, which could present challenges for midsize organizations with limited wiggle room in their budgets.

Keeping the neighborhood safe

Due to the high cost of such advanced expertise, many experts are predicting that we’ll see a rise in compliance-as-a-service models in which a DPO would instruct the IT teams of several companies. This could be a cost-effective solution for many organizations who don’t have the available budget or resources to bring on an in-house DPO. However, each company will still be responsible for its data, so they must approach this outsourced model carefully. It will also be important for enterprises to seek advice from their data protection providers, as they can advise on which technology can help maintain compliance continuously.

So, how should an organization work with both their DPO and data protection provider to make sure they remain in regulators’ good graces? IT leaders should seek guidance on:

  • Phasing out old IT architecture: Legacy systems are often oriented around individual data management, so they lack the necessary features to provide a GDPR solution. Finding and removing these systems will be very important.
  • Where to spend money on new tools: Currently, there isn’t one tool, solution, or service that can protect and maintain compliance for every single aspect of GDPR. That said, companies need to make sure they’re investing in an effective suite of tools that enable improved data governance.
  • Defining personal data: In the GDPR, the phrase “personal data” is loosely defined. It can include everything from emails and email addresses, to information gathered during routine marketing and business activities. Setting an organizational guidance on what classifies personal information will be key.
  • The importance of email archiving: More than 60 billion emails are generated each day, so the potential for a compliance violation is massive because of the amount of personal information exchanged in emails. If there is a subject access request (SAR), the systems administrator must be able to identify and remove emails if a user withdraws their consent. Establishing set processes for producing and maintaining activity logs will also be important, especially in the event of an audit.
  • Keeping tabs on data: When companies store data of EU citizens, it needs to be held in the EU unless the user has provided consent for it be stored elsewhere. Unless a company has a system in place for acquiring this consent, it’s not likely a user has allowed them to store their information in another part of the world. This will be tricky for organizations with storage centers in different continents, so it’s going to be very important to establish a process for understanding where user data is stored.

There are many aspects of GDPR that are subject to interpretation, so organizations need to listen to and implement the advice from both their DPO and their data protection providers. Working with both is the best way to assure continuous compliance, even as amendments are made to the regulation and the technology landscape continues to change.

By Oussama El-Hilali

Kip Compton

What’s Ahead for Cloud

The Cloud 2018 was an incredible time for cloud. Its impact on customer experiences, business processes and models, and workforce innovations was undeniable. We saw more and more use cases where customers started leveraging multiple ...
Sangeeta Chhabra

Why ‘Cloud’ Should Be A Skill In This Age of Automation

The Age of Automation It is astonishing how the world around us is changing rapidly. More and more companies are now planning their move to the cloud and revamping their business models. Cloud computing has ...
David Friend

Data Centers Need to Wake Up and Compete with the Hyperscalers

Data Centers Need to Wake Up and Compete with the Hyperscalers Win Customer Hearts & Minds and Become a Trusted Technology Partner Data center operators have a choice: either they can expand their cloud offerings ...
Gary Taylor

5 Reasons Why Virtual Desktop Infrastructure Will Go Mainstream Post 2020

Virtual Desktop Infrastructure Growth Virtual Desktop Infrastructure (VDI) technology enables remote users to access their desktop from anywhere using an internet connection. This technology has been around for a couple of decades but never received ...
Trust Report

Profit-Driving Strategies for 2020, Backed by Data

Profit-Driving Strategies Since 2019 is coming to a close, the time has come for businesses to evaluate what they can do to propel profits in 2020. The vast array of possibilities can make an enterprise's ...
Robert Van Der Meulen

Focusing on Online Gaming Security During Development

Online Gaming Security Infrastructure Updated article: June 2nd, 2020 There are millions of gamers around the globe and as of 2018, video games generated sales of US$134.9 billion annually worldwide. As video games continue to ...