The General Data Protection Regulation (GDPR) is a new legal framework that replaces the EU Data Protection Directive and is enforceable since it became effective on May 25, 2018. The purpose of the GDPR is to further protect the privacy rights of EU individuals by governing how organizations manage and protect personal data pertaining to EU persons, regardless of where the personal data is collected, transferred, stored, or processed. If you operate a US-based multinational enterprise doing business in the EU, you’re are no doubt by now extremely aware of GDPR. You may also be painfully aware that you are not ready for the impending compliance requirements to protect Personally Identifiable Information (PII) – including the introduction of a Data Protection Officer to your team.
That’s right, one obligation of GDPR compliance is the appointment of a Data Protection Officer (DPO). The main role of a DPO is to assist and advise the processor regarding GDPR compliance, and make sure of the provisions application within the institution. He is required to keep a register of all the processing activities that involve personal data, performed by the institution. This register must include explanatory information on the purpose of the processing operations, and must be accessible for any person. DPOs are appointed by data controllers and processors in the situation where they are a public authority, their activities require monitoring of data subjects regularly and on a large scale, or when the information includes sensitive data such as criminal convictions. When the GDPR became effective May 25, 2018, the data protection officer became a mandatory role under Article 37 for all companies that collect or process EU citizens’ personal data. DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities that oversee activities related to data. As outlined in the GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following:
- Educating the company and employees on important compliance requirements.
- Training staff involved in data processing.
- Conducting audits to ensure compliance and address potential issues proactively.
- Serving as the point of contact between the company and GDPR Supervisory Authorities.
- Monitoring performance and providing advice on the impact of data protection efforts.
- Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request.
- Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information.
More than 28,000 will be needed in Europe and U.S. and as many as 75,000 around the globe as a result of GDPR, the International Association of Privacy Professionals (IAPP) estimates. The organization said it did not previously track DPO figures because, prior to GDPR, Germany and the Philippines were the only countries it was aware of with mandatory DPO laws. In fact, according to Reuters, DPO job listings in Britain on the Indeed job search site have increased by more than 700 percent over the past 18 months, from 12.7 listings per every 1 million in April 2016 to 102.7 listings per 1 million in December 2017. Reuters also shares that the need for DPOs is expected to be particularly high in any data-rich industries, such as tech, digital marketing, finance, healthcare and retail. Uber, Twitter, Airbnb, and Experian are advertising for a DPO, online job advertisements show, as well as Microsoft, Facebook, Salesforce.com and Slack according to Reuters. GDPR is calling for new compliance standards in information management to drive a level of transparency we haven’t seen before – this is a very good thing for consumers, according to
CompuData’s Client vCIO Andrew Rosado, who reports GDPR’s Data Protection officer requirement is a loud wake-up call for American businesses. “Europe is sounding the alarm for businesses to be more accountable to their information management practices and U.S. businesses need to take notice. Information management and compliance is only going to be more stringent and regulated over time – we are seeing the signs of this now,” CompuData’s Rosado reports. “It makes all the sense in the world for companies, right now, to take a step back and evaluate their current information management practices. Now is the time for businesses to ask themselves if their information management practices are all they can be and if their cybersecurity best practices will ensure all data is protected. Regardless of GDPR’s direct impact on American businesses, now is the time for all businesses to ask themselves, when it comes to information management of sensitive client data: Are we doing enough – and are we transparent enough? Do we need a Data Protection Officer?”