The new European General Data Protection Regulation will require many organisations to appoint a Data Protection Officer with a blend of skills that makes it almost impossible to find the right person. However, the more data management-savvy cloud providers have what it takes to fill the gap.
When the European General Data Protection Regulation (GDPR) comes into force on May 25 all organisations will have to ask themselves a vital question – do they need to appoint a Data Protection Officer?
Meeting the obligations of any new data regulation has always been onerous, but GDPR is about to increase the burden substantially. Covering all the personal data of EU citizens anywhere, it requires many organisations to appoint a Data Protection Officer (DPO). This new role, however, is complex and many organisations may still be working out whether they need one, what the job involves and who can do it, until it is too late.
Who requires one of these new officers? Most organisations do
Before the technicalities of the role are even considered, many businesses will be poring over the new regulation to discern whether they are really required to appoint a DPO. Article 37 of the GDPR specifies that DPOs must be appointed by the following: all public authorities, with the exception of courts; any organisation carrying out systematic monitoring of individuals on a large scale; organisations where the core activities involve the processing of data relating to criminal convictions and offences, or so-called “special categories” such as genetic data, health data, racial origin or sexual orientation.
Although this will excuse many organisations, even where the GDPR does not specifically require the appointment of a DPO, the ICO and other enforcement bodies regard the creation of the post as a matter of good practice. In addition, any organisation deciding it does not need a DPO should consider how long it can remain on the right side of the regulation. It is worth bearing in mind that even if an organisation does not need a DPO, it must still fulfil the same responsibilities – meaning a decision not to appoint a DPO can actually make achieving GDPR obligations harder.
Who has the expertise to oversee this huge range of responsibilities?
A DPO’s responsibilities are enormously wide-ranging. In summary, it means supervising all data within a business that is subject to GDPR rules. But this simple definition hides the gargantuan scope of the task. It will include monitoring the collection of data, justifying its possession, assuring secure storage, auditing vulnerabilities and in many cases overseeing deletion of valuable material.
The multi-faceted nature of the job begs another question – who is qualified to be a DPO? The requirements can make the DPO’s job description sound like some kind of data protection superhero, capable of translating legal requirements into both processes and technical needs, overseeing awareness-raising and staff training, all while empowering not restricting the company’s wider vision.
And in case this wasn’t enough, it stands to reason – and is in fact specifically mentioned in the GDPR guidelines – that the more complex or high risk the data processing activities are, the greater the expertise of the DPO will need to be.
Avoid appointing information security personnel
This is a demanding set of responsibilities and often the confusion between privacy and security means they are handed to those responsible for security, which is the wrong approach. This is because anyone with an Information security remit is charged with protecting the company and its data, whereas the responsibility of the DPO is to protect the interests of the data subject, even if these appear to clash with those of the company.
For a DPO there should be no conflicts of interest with any other activities in the organisation and if a breach occurs, a report must go to the authorities – it cannot be a matter for debate.
How to choose the right alternative
When the role is reviewed, it is a miracle anyone wants to be a DPO. This hardly makes recruitment easy, especially as the GDPR deadline approaches and qualified personnel are in short supply.
The complexities, the demands of the job, the skills shortage and the cost of appointment – all these factors will inevitably lead to a more pragmatic approach where organisations rely on external expertise. Hence the concept of “DPO-as-a-Service”.
There is a range of possible sources of expertise, ranging from lawyers to management consultants. But despite what many of these service-providers may claim, meeting the continuing requirements of a DPO under the new regulation is not solved with an audit and list of recommendations. This will enable only a quick fix, and not ongoing observance. This requires a far more rigorous understanding of the way data comes into and moves through a business, including, but certainly not limited to, the technology involved.
Indeed, where an organisation is advanced enough to have already moved to the cloud, the additional dynamic that the cloud brings to data usage would logically make cloud providers more suitable partners – provided they are not only cloud experts, but also genuine specialists in data management.
Many cloud providers purport to accommodate data management and privacy in their services, but few in fact have the history, knowledge or expertise to back up their claims. For many, data management is considered almost an add-on, in much the same way as an additional service, such as back-up or disaster recovery.
In fact, the only cloud providers that are suitably qualified to offer data management – and DPO-as-a-Service – are those that have built their original services around data management principles rather than the cloud basics of flexibility, uptime and scalability.
This is a specially-qualified group that is capable of simultaneously advising on and implementing cloud strategy while leaning on long-standing experience in data management and the surrounding legislative frameworks, including GDPR. It is only this rare class of provider that can offer immediate access to consultancy along with the sophisticated tools that assist in fulfilling obligations on a day-to-day basis.
Businesses are understandably concerned about the whole question of DPO functions and roles, and are inevitably seeking external support before GDPR comes into force in May. It is perfectly natural that businesses have their data in the cloud and seek advice on data management from their cloud providers. But in each case, that should only be taking place if the individual provider genuinely has the track record, focus and expertise that qualify it to offer such consultancy or services.
Sophie Chase-Borthwick, Global Lead – GDPR Services at Calligo
Image Credit: Wright Studio / Shutterstock