I have a confession to make: I’ve fallen head over heels in love with a data protection officer.

How could I not? Data protection officers (DPOs) are fast becoming one of the most valuable hires in the office. Soon DPOs will stand shoulder-to-shoulder with company staples like IT directors, HR specialists, or product managers. Before I dish out the details on my new workplace crush, let me tell you where we first met.

Our love story begins where all great love stories begin: in the pages of an upcoming data privacy regulation called the General Data Protection Regulation (GDPR).

It’s complicated.

…What’s that? Are you tired of being the third wheel? Then let GetApp play matchmaker: this article discusses why companies should “fall in love” with the idea of hiring a dedicated data protection officer. We’ll explore the following topics:

What is GDPR?

The GDPR is a new rule book for data privacy—a dark, dense cloud of a regulatory change—that touches down in the EU on May 25, 2018. GDPR brings with it a slew of instructions to tell companies how to handle the personal data of their employees and customers.

All companies in the EU—big or small—must follow these new rules. The message is simple: comply with the GDPR or face major fines. 20 million Euros or 4 percent global turnover is at stake for the worst GDPR offenders. In addition, GDPR’s shadow extends over companies outside of the EU who deal with EU based employees or customer data, so even companies an ocean away may be looking down the barrel of GDPR penalties come May.

One of the most important changes the GDPR is making is the requirement for certain businesses to hire a data protection officer. This role is tasked with managing personal data and ensuring compliance with GDPR’s data privacy laws.

Calendar of May 25, 2018 - GDPR Goes Live
What steps has your company taken to prepare for GDPR’s landfall this May?

For the companies forced to hire a DPO, the selection of a suitable candidate is like an arranged marriage. And in fact, most SMBs will not be required to hire a data protection officer at all.

However, having designated leadership to face GDPR is an understated benefit. Falling into the arms of a data protection officer can be a welcome comfort to keep your company out of the courtroom and gain a competitive advantage.

What is a data protection officer?

Just a few years ago, typing data protection officer into Google would not have reeled in many results. Today is different: blogs, video interviews and job listings related to DPOs fill up search results. But what are the details of this role, and what exactly are data protection officers responsible for?

Fundamentally, data protection officers protect data. A DPO’s job is to manage a business’ data—the sensitive information companies keep about their employees and customers—as a treasurer would be to managing financial assets.

Specifically, DPOs are dealing with personally identifiable information (PII) which is any information that can be traced to and used to identify an individual person. PII is employment contracts, invoices, shipping information, etc. DPOs keep PII organized, secure, and compliant, and make sure the business is following the best and latest data practices.

But DPOs are also tightly welded to the GDPR compliance effort. Their intended purpose is first and foremost to help their companies comply with the GDPR. According to Gartner research, 50 percent of companies will not be in compliance with the GDPR by May. To course correct, DPOs are an essential company asset.

According to a Gartner Press Release, by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.

What does a data protection officer do?

ICO (Information Commissioner’s Office), the UK’s independent body set up to uphold information rights, presents the following DPO duties as abridged from Article 39 of the GDPR:

  • Educate the business and its employees about their obligations to comply with the GDPR
    and other data protection laws.
  • Monitor compliance with the GDPR and other data protection laws (e.g., lead staff training,
    conduct internal audits, and develop corrective action plans).
  • Act as first point of contact for supervisory authorities (read: auditors) and for
    individuals whose data is processed (read: handle public relations and data subject
    requests from employees/customers).

Who needs to hire a data protection officer?

Organizations that will be mandated to hire a data protection officer must meet certain criteria. Sourcing the GDPR, ICO outlines the following requirements:

  • Organization is a public authority (except for courts acting in their judicial capacity).
  • Organization carries out large scale systematic monitoring of individuals.
  • Organization handles large scale processing of special categories of data or data relating
    to criminal convictions and offenses.

Right off the bat, this disqualifies the vast majority of SMBs. Unless your company’s data practices are in the list above, you do not need to hire a data protection officer. But, you should consider a DPO anyway. Matthew Vernhout, director of privacy at 250ok, an email deliverability company, highlighted the universal need for a DPO in today’s businesses:

“With sweeping regulations like GDPR coming online, businesses that handle a significant amount of personal data need to shift into gear regarding data protection and compliance,” said Vernhout. “An investment in a data protection leader is no longer an option for businesses dedicated to consumer protection and meeting the standards of today.”

It’s important to point out that a data protection officer doesn’t need to be a full time employee, or even an internal hire—DPOs can be consultants and work contractually. In addition, there’s no need for a DPO to be a single person. A DPO can be a partnership, department, or outside agency. The importance is the job at hand: giving a central, audible voice to your company’s personal data and its protection.

Why should you fall in love with a data protection officer?

Here are the three reasons why data protection officers are a major asset to your company:

Valentine Heart #1 Data is a big deal

 

The first reason to fall in love with a data protection officer is because data is now the world’s most coveted resource. It’s been called “this century’s oil,” the fuel to our digital economy, and if leveraged smartly, data can lead to massive benefits. For evidence, just look to companies like Uber or Airbnb and how they’ve blown a hole in their respective industries and shaped entirely new markets. Uber and Airbnb don’t own a single car or hotel. Of their major holdings, they possess zero tangible assets excepting one thing: their grand caches of user data.

The winners of this generation will be companies that use their data most efficiently, compliantly, and are able to leverage it to gain the upper hand over the competition. Joe Montgomery, VP of marketing at 250ok, draws from his company’s experience achieving compliance with GDPR, and talked about how leadership is integral:

“Adding a privacy leader to 250ok was a critical step in achieving best practices for both our international privacy and compliance needs,” said Montgomery. “Having a specialist on staff improves the speed and quality of our process of achieving and maintaining compliance with SOC 2, Privacy Shield, CASL and GDPR, among others.”

Valentine Heart #2 Your data privacy compass

 

Another reason to fall in love with a DPO is that they are a compass to point business leaders to data privacy-respecting decisions. DPOs are a bank of information—the most knowledgeable person in the room on all things related to their employer’s PII and private data practices. DPOs can be a conduit for the rest of the company to gain advice and strategies to help their departments and projects serve data privacy needs better.

For example: try answering these frequently asked questions about GDPR as gathered from Google search. Can you?

Google Search for "Does GDPR"

How’d you do? Now imagine that these same questions—plus a couple more questions digging into your company’s intimate data practices—are asked of your organization by one of your customers:

  • How do you process my data?
  • What region is my data processed in?
  • What is my data used for?
  • Can you provide process documentation in the event of a security breach?

Oh yeah, did I mention, your customer CCed the European Commission who created the GDPR. Don’t you wish you had a knowledgeable agent? Someone to field these questions on your behalf—that’s where a DPO comes in.

Valentine Heart #3 DPOs are a long-term investment

 

Compliance and risk management think-tank and consultant group TrustArc carried out a cyber security survey and found that 89 percent of consumers in the US and UK report that they avoid companies who don’t protect their privacy. Data privacy matters to customers. The reality is that as data takes center stage in the digital economy, data privacy needs to matter to businesses too.

Katherine Espinoza, Growth & Partnership Manager at Rebrandly, a SaaS provider specializing in branded links, explained that when preparing for the GDPR, in addition to consulting with legal advisors, her teams reached out to customers for direct feedback:

“We have had more conversations with our users than I can count around security and privacy. It’s increasingly important for our customers to make sure that data is being processed and stored safely— and they are very vocal about their need for transparency here. In order to make sure we’re giving them the best possible product, taking these concerns into account would be paramount even if the GDPR wasn’t looming.” Espinoza said.

When approaching data privacy and protection, more businesses should focus on the interests of the customer—as Rebrandly has done. The purpose of GDPR compliance is not to avoid a fine, it’s to improve data privacy to better serve people.

In addition, data privacy concerns do not end when we check the compliance checkbox of GDPR or any other regulation. Improving data privacy practices is a continuous act like improving revenue or employee retention.

That’s what matters for the long-term and why, in my opinion, a DPO will be on the payroll of most every company in the near future—because after GDPR, a DPO’s job is not even close to done.

Helpful Resources: plan the 2nd date

If you’re considering going steady with a data protection officer, take stock of your organization’s current data privacy practices and how far along you are to GDPR compliance. Where could you improve, and what yet needs to be done? Your company and a DPO might make a good couple. If you’re interested in finding out more, check out these helpful resources below: