September 19, 2019
The role of a Data Protection Officer (DPO) has come into sudden sharp focus after the EU's General Data Protection Regulation law came into effect on May 2018.
Yet many people outside the EU still do not clearly understandthe role of a Data Protection Officer. Here is a brief and not technical primer.
All services we use from banks through social media and government agencies tohospitals collect and store a vast amount of data about us - their users.
At the very least each of these organizations has access to customers'name, address, phone number, credit card number, government ID number. Someorganizations also have details of customers' financial status, purchase history,political views, the state of physical and mental health, and much more.
The Facebook-Cambridge Analytica scandal showed that there is anurgent need for regulations to protect customers' data, bring transparency in data processing, and measures toprevent mishandling. That was just one instance. There might be hundreds ofthese cases that the world does not know about.
In this context the mandate of a DPO is rather simple:
? to ensure that data are collectedlegitimately and ethically
? to ensure that data are stored securely
? to ensure that data are used legitimately and safely.
Think of the role of a DPO as that of a financial auditor. The difference is that a DPO may or may not be an employee of the company of which s/he is a compliance officer.
While the DPO reports to the senior management, s/he operateswith complete independence and cannot be penalized for actions necessary forthe discharge of his/her duty.
The GDPR became law more than a year ago, but most companies are still struggling with the transition. There is still no fixed protocol based on which data protection is to be enforced, and it is being done mostly on an ad-hoc basis.
The task of a DPO spans a gamut of activities because everyorganization collects information in a variety of ways and very often does nothave a centralized mechanism to govern this collection.
A hospital might have a patient's medical and financial detailsstored on separate systems.
To bring structure to the chaos the DPO firstly has to ascertainwhat information is present and how it has been used. Only after that can s/heapply the question of ethics of further dissemination.
GDPR uses words to the effect of "determines the purposesand means of the processing of personal data" in describing the role of a DPO.
A DPO has to interpret the GDPR law regarding purposes of use ofpersonal data. Many processes and usage of data would have to be reviewed andapproved by him/her.
Unlike an auditor who operates under rather strict accountingstandards that have evolved over a century, a DPO is at a very early stagewithout the guidance of a statutory body.
This makes the task of a DPO hard with every decision requiring acareful balancing act between caution and need.
The DPO would need to step into various departments and find howthey handle data. DPOs would have to bring cultural change that makes theemployees profoundly rethink their product development and marketingstrategies.
This is an enormously delicate task and cannot be performedwithout stepping on the toes of departmental heads. There is even thepossibility of conflict with senior management who have over the past fewdecades come to see data as a scarce and valuable resource of which the collectionhas been at a considerable expenditure.
The DPO may face an unwelcoming atmosphere and must have the determination to bring order.
Data privacy in the postGDPR world demands expert handling. It isquite difficult to find trained personnel who have adequate expertise.
According to some estimates, there is a need for about 75,000 DPOs and probably close to a million employees in all working under them.
It is becoming increasingly challenging to provide DPOs with adedicated team of privacy experts. And it may be a challenge for DPOsassociated with organizations to find enough help with managing theadministrative workload necessitated by the job.
Most organizations have sought to train personnel from otherfields (such as HR and IT) to fulfill these needs.
The lack of protocol is a major bottleneck in training since thedomain spans across law and information technology.
The only solution is for a DPO to learn rapidly and create atraining manual that provides him/her with adequate manpower as early aspossible.
Traditional office software suites do not have advancedcapabilities to manage data privacy issues. Moreover, business owners may notfully comprehend the need to invest in the right tools, especially those thatcurb the actions they may have taken so far.
Thankfully the situation is improving. Companies such as Protectoare building tools for Data Protection Officers (DPOs) to reduce complianceburden, provide visibility into IT workflows, and automate tasks. Learn more at www.oneDPO.com.
The job of a DPO is to adequately inform those in the leading positions about the cost of notcomplying with data privacy laws. It might be the fear of being in breach ofGDPR and similar legislation and the imposition of hefty fines that wouldconvince businesses to acquire these tools.
The role of a DPO is without a doubt, not an easy one. It requires deft management skills, a steep learning curve, strong leadership to navigate around organizations, and the resourcefulness to deliver with limited resources.
The need of the hour is to set up a roadmap and establish proper protocols that make it easier for them to carry out this unenviable task.
Author: Rahul Sharma Sharma
We take privacy seriously. While we promise not to sell your personal data, we may send product and company updates periodically. You can opt-out or make changes to our communication updates at any time.
