Finding that rare jack-of-all-trades, the DPO

By Matthew Smith, CTO at Software AG.

  • 6 years ago Posted in
Like all commodities, scarcity and high demand creates an increase in price, and data protection officers (DPO) can practically write their own ticket these days. We’ve seen some commanding salaries of up to ?1 million per year.
 
“What!? Why?” you may well ask.
 
Well, DPOs are rare and under the General Data Protection Regulation (GDPR), companies with over 250 employees will have to appoint a DPO. Indeed, the International Association of Privacy Professionals (IAPP) estimates that the number of DPOs required under the GDPR in Europe alone will be at least 28,000 so they are certainly in high demand.
 
A DPO has to be a jack-of-all-trades, an expert in data protection, law, a key communicator between the C-suite and staff, and a leader capable of turning compliance issues into business opportunities (and that’s the REAL trick).
 
The DPO’s role is a complex one, with little official guidance offered so far. Organisations need to think seriously about how they can recruit for this role, as well as how they train staff effectively to ensure they are not left exposed to GDPR sanctions due to poor data practices.
 
The DPO will need to possess four important skill sets:
 
Techy know-how
 
According to the GDPR regulations, the DPO is required to offer guidance on risk assessments, counter measures and data protection impact assessments. DPO’s must have significant experience in data security, privacy, best practice, risk mitigation and information security standards certifications.
 
While compliance checklists may be a useful tool, the DPO position requires an experienced professional, particularly as risks evolve and change constantly. DPOs need to know the threat landscape inside out, and be keen to expand their knowledge when new technologies emerge. These skills are usually developed through experience within IT programming, IT infrastructure development and auditing. A strong technical understanding is also important for the DPO to drive innovation.
 
Legal understanding
 
Within the GDPR, Recital 97 and Articles 37.1, 37.5, and 38.5 specify that the DPO should be “a person with expert knowledge of data protection law and practices” and “perform their duties and tasks in an independent manner”.
 
The DPO therefore needs a strong knowledge of not only GDPR rules, but also other relevant EU legislation. This is in addition to understanding privacy and related laws in all jurisdictions that their organisation does business in or outsources operations to.
 
DPO’s are also required to act in an independent manner and maintain confidentiality. Business experience is therefore important when having to handle delicate tasks such as discovering gaps in security best practice and ensuring compliance.
 
C-suite translator
 
The DPO is a key communicator between the C-suite and employees and vice-versa. He or she is well-placed to bridge the gap between the two and offer insights and recommendations for best practice. The DPO should also have a global focus, just like the C-suite does. This requires experience within the industry so that the DPO is a trusted advisor across the organisation.
 
The DPO should also be thinking about the business opportunities that result from the processes put in place by the GDPR. This could be new ways of working with more collaboration. To make the most out of the GDPR companies need to re-evaluate longstanding processes, encouraging teams to think about the way the work and challenge the norm.
 
Business change in preparation for GDPR must be a top down approach, it cannot be an exclusively tech project. It is vital that all levels of a company understand that the protection of personal data should be respected. Companies are trusted with personal data by customers, they don’t own it, so they should take care of it to the very best of their abilities. The appointment of a DPO is a strong message to customers that your business is taking data seriously.
 
People skills
 
DPOs need to have leadership and project management skills to mobilise the changes that GDPR requires within an organisation. Business experience is vital for a successful DPO. When implementing changes within an organisation, technology is often less than half the game. Cultural acceptance, change management and common goals are vital.
 
GDPR provides businesses with the opportunity to ensure processes surrounding data management are implemented, this brings with it great opportunities to make the most out of the data that your organisation is producing. In this digital age, data is the new currency and it should be seen as a business enabler.
 
So, you can see why the DPO needs to be a jack-of-all-trades.
 
Each of these key traits are valuable and rare on their own, but when combined, your desired DPO is a scarce commodity indeed.
 
If you do find that gem of a DPO, then hang onto them tightly, he or she will help to push your organisation into making the most out of GDPR, rather than treating it as a compliance burden, using it as an opportunity for change and collaboration to further innovation.
By Barry O'Donnelll, Chief Operating Officer at TSG.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Milou Lammers, Director of Compliance, iland.
By Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at...
By Michael Queenan, co-founder and CEO of Nephos Technologies.
By Tawnya Lancaster, Lead Product Marketing Manager, AT&T Cybersecurity.
Why businesses need a bigger boat for tackling IaC security By Robert Haynes, SCA & Open Source...
Cybersecurity continues to be a major challenge for companies, with as many as four in ten...