The role of a Data Protection Officer (DPO) has come into sudden sharp focus after the EU’s General Data Protection Regulation law came into effect on May 2018.
Yet many people outside the EU still do not clearly understand the role of a Data Protection Officer. Here is a brief and not technical primer.
All services we use from banks through social media and government agencies to hospitals collect and store a vast amount of data about us – their users.
At the very least each of these organizations has access to customers’ name, address, phone number, credit card number, government ID number. Some organizations also have details of customers’ financial status, purchase history, political views, the state of physical and mental health, and much more.
The Facebook-Cambridge Analytica scandal showed that there is an urgent need for regulations to protect customers’ data, bring transparency in data processing, and measures to prevent mishandling. That was just one instance. There might be hundreds of these cases that the world does not know about.
In this context the mandate of a DPO is rather simple:
● to ensure that data are collected legitimately and ethically
● to ensure that data are stored securely
● to ensure that data are used legitimately and safely.
Think of the role of a DPO as that of a financial auditor. The difference is that a DPO may or may not be an employee of the company of which s/he is a compliance officer.
While the DPO reports to the senior management, s/he operates with complete independence and cannot be penalized for actions necessary for the discharge of his/her duty.
The GDPR became law more than a year ago, but most companies are still struggling with the transition. There is still no fixed protocol based on which data protection is to be enforced, and it is being done mostly on an ad-hoc basis.
The task of a DPO spans a gamut of activities because every organization collects information in a variety of ways and very often does not have a centralized mechanism to govern this collection.
A hospital might have a patient’s medical and financial details stored on separate systems.
To bring structure to the chaos the DPO firstly has to ascertain what information is present and how it has been used. Only after that can s/he apply the question of ethics of further dissemination.
GDPR uses words to the effect of “determines the purposes and means of the processing of personal data” in describing the role of a DPO.
A DPO has to interpret the GDPR law regarding purposes of use of personal data. Many processes and usage of data would have to be reviewed and approved by him/her.
Unlike an auditor who operates under rather strict accounting standards that have evolved over a century, a DPO is at a very early stage without the guidance of a statutory body.
This makes the task of a DPO hard with every decision requiring a careful balancing act between caution and need.
The DPO would need to step into various departments and find how they handle data. DPOs would have to bring cultural change that makes the employees profoundly rethink their product development and marketing strategies.
This is an enormously delicate task and cannot be performed without stepping on the toes of departmental heads. There is even the possibility of conflict with senior management who have over the past few decades come to see data as a scarce and valuable resource of which the collection has been at a considerable expenditure.
The DPO may face an unwelcoming atmosphere and must have the determination to bring order.
Data privacy in the postGDPR world demands expert handling. It is quite difficult to find trained personnel who have adequate expertise.
According to some estimates, there is a need for about 75,000 DPOs and probably close to a million employees in all working under them.
It is becoming increasingly challenging to provide DPOs with a dedicated team of privacy experts. And it may be a challenge for DPOs associated with organizations to find enough help with managing the administrative workload necessitated by the job.
Most organizations have sought to train personnel from other fields (such as HR and IT) to fulfill these needs.
The lack of protocol is a major bottleneck in training since the domain spans across law and information technology.
The only solution is for a DPO to learn rapidly and create a training manual that provides him/her with adequate manpower as early as possible.
Traditional office software suites do not have advanced capabilities to manage data privacy issues. Moreover, business owners may not fully comprehend the need to invest in the right tools, especially those that curb the actions they may have taken so far.
Thankfully the situation is improving. Companies such as Protecto are building tools for Data Protection Officers (DPOs) to reduce compliance burden, provide visibility into IT workflows, and automate tasks. Learn more at www.oneDPO.com.
The job of a DPO is to adequately inform those in the leading positions about the cost of not complying with data privacy laws. It might be the fear of being in breach of GDPR and similar legislation and the imposition of hefty fines that would convince businesses to acquire these tools.
The role of a DPO is without a doubt, not an easy one. It requires deft management skills, a steep learning curve, strong leadership to navigate around organizations, and the resourcefulness to deliver with limited resources.
The need of the hour is to set up a roadmap and establish proper protocols that make it easier for them to carry out this unenviable task.
Author: Rahul Sharma