In the past weeks several communications via different media, blogs, … were addressing the need of thousands of Data Protection Officers (DPOs) across Europe for the coming year to ensure organizations’ compliance to the General Data Protection Regulation (GDPR), a quest like none before …
At the same time the debate went on discussing the qualifications this person would need to show. The discussions between those that approach this question from a legal point of view (where the quest is originating) and those that see the resolution coming from within the technical departments of the organization (where part of the solution will reside) went back and forth.
To my opinion they leave out another important point of view, namely the organization’s point of view.
So, let us take this more holistic approach. Let us try to come up with an answer to the question posed “Who will make this GDPR compliancy a reality in your organization, while you’re running your business as well ?”
The GDPR text (Articles 37-39 relating to the Data Protection Officer) describes the job content. At the same time a number of implicit expectations come along with this description. Regardless if this position is filled in by an employee or on the basis of a service contract, that is what is expected and makes him or her the Data Protection champion.
Highlighting what should be covered when looking for the ideal candidate, it boils down to the following:
The data protection officer should be designated on the basis of:
- professional qualities
- expert knowledge of data protection law and practices
- the ability to fulfil this minimum set of tasks (referred to in Article 39):
- inform and advise those responsible and accountable for processing, on their obligations in this respect.
- monitor compliance with this Regulation, the related data protection provisions and policies on the aspects of the protection itself
- monitor that responsibilities assignments, awareness-raising and training of staff and related audits are done.
- provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to the criteria making an impact assessment needed.
- cooperate with the Supervisory Authority
- act as point of contact with the Supervisory Authority on issues relating to processing (amongst others data breaches), including the prior consultation and to consult, where appropriate, with regard to any other matter
- have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
- the requirements coming along with the position of the Data Protection Officer in the organization,
allowing that the DPO shall:
- be involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
- be supported & provided resources necessary to
- carry out those tasks
- access personal data and processing operations
- maintain his or her expert knowledge.
- report directly to the highest management level.
- be contactable by data subjects with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
- be bound by secrecy or confidentiality concerning the performance of his or her tasks.
- be able to exercise his/her work without receive any instructions regarding it.
- not be dismissed or penalised for performing his tasks.
- not be in a “conflict of interest” situation due to other work/obligations within the organization.
Looking at the magnitude of this
… the scope of the job (all personal data related ),
… the expertise needed (in the legal as technical domain AND business process domain, in order to know where, what should be tackled),
… the stakeholders management (external: the Supervisory Authority , the data subjects and (sub)contractors ; internally: users, trade unions and the C-level of the organization),
… negotiation and convincing skills,
… the understanding of risk management and prevention,
… the stress resilience and cool of a crisis manager in case of a data breach,
… the inspirational leadership to make aware, motivate and to drive the change,
… the structured approach to move the organization towards this new stringent data protecting behaviour…
well … then we’re not looking anymore for a specialist, but rather a superman/woman
… OR ….
what in my opinion would be a better option: a manager that is knowledgeable in these domains and who can manage and lead a team of specialists, acting as a front man/woman putting data protection on the map in and outside of the organization.