The data protection officer (DPO) is not a new position in terms of responsibility. In fact, some companies have had a chief security officer and chief data privacy officer on staff for many years. However, under the General Data Protection Regulation (GDPR), many businesses will be required to appoint a DPO, regardless of their size. The DPO will have a large portfolio of responsibilities, including overseeing all data protection issues, monitoring the company’s compliance with the GDPR, dealing with regulatory authorities who may inquire about the firm’s GDPR compliance, and managing privacy risk assessments and internal audits.
Any business that must comply with GDPR will have to hire a data protection officer because regulators will require a single point of contact they can engage with when evaluating an organization’s compliance. Just as a chief financial officer (CFO) serves as a liaison for investors alongside the CEO, a DPO will serve in this capacity when the organization interacts with regulators. With a DPO charged with GDPR compliance, it will be easier for both the organization in question and the regulators to ensure that requirements are being met.
From the regulators’ standpoint, it will be easier to assess compliance across businesses of different sizes and verticals, because the DPO will always have the same charter and set of responsibilities across all companies. When a regulator comes into a business and speaks with a DPO, he or she will ask that person to present a comprehensive assessment of all the company’s customer data, including what’s been collected and where the data sources are located. Having a consistent point of contact who oversees assessment and is responsible for having the controls in place will streamline the process for all involved.
Since the GDPR gives the customer the right to ask a company to delete his or her customer records, a DPO must put data governance and security infrastructure in place in order to trace any interaction that a customer has had with the company. Most of us tend to think of customer data as simply residing in customer relationship management (CRM) or transactional systems that house information on products and services that customers have purchased. However, if you send an email to a company inquiring about the status of an order, or have a phone conversation with a customer service representative that’s recorded, these are sources of data about a customer. To make matters worse, these systems are often not connected. Demonstrating compliance with GDPR can be incredibly difficult if it turns out that the company does not know where all of a person’s records reside within its various systems.
The DPO will be responsible for making sure that the company is able to fulfill this requirement. For that to be possible, the DPO needs to have a good sense of where all the possible sources of customer data are within the organization. This means the DPO must put an IT infrastructure that is capable of discovering and assessing data sources that are both structured and unstructured, such as email messages, database records, phone conversations with customer service representatives, and more. This infrastructure also needs the functionality to classify this information according to whether it creates privacy concerns or is sensitive in some other way.
After the business has labeled or tagged this data, it can apply various policies to customer records. Given the volume and scale of data that could be involved, the company will likely need an automated mechanism to identify, tag, and catalog the data, and then apply the relevant policies that may be required, such as access or security policies. Consolidating data from siloed systems into a unified platform will certainly be helpful in this regard.
Obviously, a DPO will be considered successful if he or she can guarantee compliance with the GDPR. If you unpack everything that the GDPR encompasses, this may prove to be a far more formidable challenge than it might first appear on paper. For example, certain provisions of the GDPR are extremely broad and can be interpreted in multiple ways. One concisely written requirement could, in fact, mandate that the DPO review all systems within the organization and confirm that they have been built from the ground up with security and privacy in mind, possibly touching on disparate functions of the organization, such as product development and systems development.
A DPO will need strong leadership skills, sharp business acumen, and enough technical experience to bring together various parts of the organization to ensure proper compliance. It will also be crucial for the DPO to have a seat at the organization’s leadership table. This officer must be vested with considerable authority to provide the information that regulators request and implement the changes they require. The DPO will also counsel the organization on how to adapt its practices, processes, and systems to better comply with GDPR regulations. The DPO’s role should be closely aligned with the CEO and CFO, reporting to the highest levels of management.
Lastly, any business bound by GDPR—and consequently its DPO—will need experienced technology partners with deep subject matter expertise. These partners should bring the right set of technology solutions and best practices to the table, whether that involves conducting a risk assessment or structuring customer data to better comply with the GDPR. With the benefit of this guidance and an empowered DPO leading the way, your company can rest assured that it is meeting its regulatory obligations while enabling the tremendous business opportunities that big data generates.
To learn more about the GDPR, download this on-demand webinar.