The European Union's General Data Protection Regulation (GDPR) is coming up in less than a year, and many of its requirements are not quite clear. A good example of this is the responsibility for companies to hire a Data Protection Officer. This may engender a few questions, such as:
- Does everyone need to hire a Data Protection Officer?
- What are the responsibilities of a Data Protection Officer?
- Where should a Data Protection Officer sit within an org chart?
- Do you have to hire a whole new employee to be your Data Protection Officer, or can you just hang that title on our existing CISO?
This level of uncertainty prior to a major regulatory rollout is concerning, especially for companies that aren't based in the EU but still do business there. Given that the EU is simultaneously pursuing one of the largest antitrust fines in history against Google (charges tangentially related to data privacy violations) it seems likely that the GDPR will be vigorously enforced. How can companies fill the DPO position without getting fined for breaking the bank on a new hire?
Does everyone need to hire a Data Protection Officer?
Not everyone will need to hire a DPO. The text of the law states that only companies that conduct large-scale monitoring of individuals, or involve specific categories of data, such as data that reveals a person's religion, political affiliation, ethnic origin, or whether they've been committed of a felony will be required to hire a DPO.
This being said, there are a number of situations where companies might breathe a sigh of relief, only to be told that they need to hire a DPO anyway. For one example, EU member states are allowed to add more requirements on an individual basis. The German Federal Data Protection Act requires a DPO for companies with nine or more employees involved in automated data monitoring.
What does a Data Protection Officer actually do?
The GDPR actually has some minimum requirements that lay down the responsibilities of the DPO. They must actually know the GDPR, and be able to advise their co-workers about it. They must monitor compliance with the GDPR. Lastly, they must be available for audits by their supervisory authority.
The law also sets down some guidance on where to put the DPO within your reporting structure. The officer should be able to have a direct line to the highest level of corporate leadership, the ability to request resources to purchase tools and training, and the ability to perform their roles independently by having complete access to data processing records.
Can we hang the responsibilities of the Data Protection Officer on a pre-existing employee?
Companies are allowed to elevate their pre-existing employees into DPOs, but doing so might not actually be the best idea, depending on who you are and what you do. Given the rights and responsibilities listed above, a new DPO is going to have a lot on their plate. Unless your pre-existing employee already has most of the same responsibilities—such as a CISO or one of their close subordinates, an outside hire might be better.
Regardless of who you hire for the position of DPO (assuming you need one), they're probably not going to have the easiest task. Based on our reading of the GDPR, it's a company's job to supply a DPO with the best tools, talent, and training in order for them to perform their role.
Safe-T lets companies provide their newly-minted Data Protection Officer with a full suite of tools that lets them do their job easily. They'll have a bird's-eye-view of all the data entering and leaving your organization, with the ability to set automated rules in order to comply with the strictures of the GDPR. Implementing Safe-T is one of the fastest ways to pull your company into GDPR compliance. For more information, check out our comprehensive EU General Data Protection Regulation Guide.