The European Union's sweeping data regulations are set to take effect in just a few weeks, forcing many companies to suddenly ask, "Do I have a data protection officer?"
If the answer is no, the follow up question is probably, "How do I get one?"
Data protection and regulatory compliance experts have been around for decades, but the implications of the General Data Protection Regulation, set to take effect May 25, is putting these professionals to the test — and finally into the spotlight.
For many companies, data protection officers (DPOs) will be the person to step back, understand what GDPR means for their business and how they need to prepare. They're responsible for keeping in contact with upper-level management and overseeing technical processes like data inventory, data flow mapping and privacy assessments.
It's a hard job, with many interests to juggle and uncertainties to overcome. For companies still in the early stages of the compliance journey, taking a page out of the books of DPOs already hard at work on compliance can help get the ball rolling.
What is a data protection officer?
GDPR clearly outlines the designation, position and tasks of the data protection officer (Section 4, Articles 37-39). A data controller or processor needs to appoint a DPO if it:
-
Is a public authority
-
Engages in large-scale monitoring of data subjects
-
Processes special categories of personal data — such as political opinions, religious beliefs, race or sexual orientation — or personal data relevant to criminal convictions or acts
The DPO can be a staff member or contracted employee who has "expert knowledge of data protection law and practices and the ability to fulfill the tasks [of]:"
-
Informing and advising a company on data protection regulations
-
Monitoring compliance
-
Advising and monitoring data protection impact assessments
-
Cooperating with and acting as a contact point to supervisory authorities
In the past, compliance and security were often overlooked fields, viewed as a cost center and not taken into consideration until a product had already hit the market. But GDPR is increasing demand for information security and data protection specialists.
Some DPOs have held their position since before GDPR was passed. After more than a decade's worth of infosec experience, Raymond Umerley, VP and chief data protection officer at Pitney Bowes, put his background to work and created the company's DPO role about five years ago.
"It was really about recognition that privacy and security are two sides of the same coin," said Umerley, in an interview with CIO Dive. "How we go about securing information we have and keeping client or employee information private and confidential demanded a different kind of position, mindset and approach."
Jen Brown, compliance and data protection officer at Sumo Logic, officially took on the role of DPO last April. Following decades of experience in IT security and compliance, the transition to becoming a DPO was natural.
"Most of the companies I've worked at, security's always been an afterthought," said Brown. Now, more companies are focusing on privacy by design and building security into systems and products from the very beginning, giving data protection and compliance professionals a better seat at the table.
There's no 'I' in team — or DPO
The text of GDPR relating to DPOs, much like other areas of the regulation, is somewhat vague. This flexibility comes with its merits and disadvantages, allowing companies to find a compliance leader that best suits their need but leaving many details unclear at a time when business leaders want to know exact details of what is expected.
Brown and Umerley are both dedicated full-time to data protection and compliance, but Umerley suspects that for many organizations the role of DPO "may be one of many hats" that someone has to wear.
The heavy burden of responsibilities, whether it be for a full or part-time DPO or compliance leader, means that setting up a compliance and data protection team is just as important as finding the chief.
DPOs often come from a technical or legal background, and while both sides have their merits, a successful DPO has to understand both parts of the equation.
Expecting one individual to have the full breadth of technical and legal knowledge GDPR demands is a big ask. But forming a network of support by consulting outside counsel, working with different departments across the company and reaching out to peers in the industry has been has proven invaluable to Brown and Umerley.
"We're all building the airplane as we're flying it," said Brown, who has found that both customers and peers are willing to talk about data protection and compliance and figure out what other people are doing to prepare. Taking advantage of training resources can also help compliance leaders set their strategy.
Brown joined the company with an agreement to get a DPO certification, which she completed through the International Association of Privacy Professionals.
DPOs have a large footprint across the company, working with legal, tech, IT security, product security, internal audit and advisory departments, among others, and their teams can comprise anywhere from a handful of other employees to dozens. "Almost every business function in an organization is impacted," said Daniel Frank, principal with Cyber Risk at Deloitte, in an interview with CIO Dive, and this necessitates such a holistic, macro approach.
The breadth of application across the company also means the DPO can fit into the governing structure in multiple ways. Umerley reports to his company's chief legal officer while Brown reports to the VP of security and compliance.
The 'tentacles of data'
As the industry wraps its head around GDPR, misconceptions abound.
Many customers might ask their vendor if they offer GDPR compliant software or other products, but such a thing simply does not exist, according to Umerley. "What they're probably asking for is, how do we support data subject rights in terms of portability and access and identification of personal data? What are we doing around breach notification, what security controls do we have in place?"
As his team focuses on identifying and understanding data, data management tools in the company's portfolio become more pertinent. Figuring out where the "tentacles of data" expand through a company's system is especially important for compliance with the right to erasure established under GDPR.
Even if a company has a modern, centralized system of record, that doesn't mean it's compliant. A siloed HR system or an old server in IT may still have personal information attached to it, and one of the biggest challenges for companies is managing to piece all these bits together, said Umerley.
Add on a multicloud type of environment, "and you're chasing data all over the place," according to Frank.
Organizations not expecting to receive a lot of erasure requests can take the risk of leaving deletion a manual process. On the other hand, organizations can develop full technology automation with the means to collect data from solitary sources and collapse it into a single file or to delete the information from each repository, said Frank.
In the middle, for companies that know they need an erasure plan but cannot do it across the entire system (at least not yet), another option is to create the means for file creation and deletion from main systems of record — the highest risk repositories. Frank said that most companies right now are probably going for the middle ground or fully manual approach.
What noncompliance will mean come May is also subject to a lot of dispute. Many companies are behind schedule or late to the game on their compliance journey, causing uncertainty of how quickly they may be held accountable for insufficient data protection practices.
Umerley likened many of the dire predictions of shifting global paradigms and EU regulators doggedly cracking down on companies to the Y2K phenomenon. In other words, perhaps it's somewhat dramatized.
"May 26 is going to come around and the world's still going to be turning, and I don't think we're going to see a ton of headline-breaking data protection violation notices," he said. After all, regulators may still be undergoing their own journey in 2018, pushing collaboration between industry and authorities.
"The reality is a lot of the data protection authorities are still woefully understaffed and underresourced," said Umerley. "Many of the European countries themselves actually have not actually adopted the GDPR requirements into their local legislation … I still think there's going to be some opportunity there for companies to catch up without necessarily worrying about a regulator breathing down their neck."