Forty days after the E.U.’s Global Data Protection Regulation came into effect, there are 60 data protection officers to be found in Canada on LinkedIn and another 15 job postings mentioning the position.
Required for certain firms that do business involving European data to create, the newest organizational role to answer directly to the C-suite is usually borne out of the IT department but doesn’t have to be.
Data protection officers can hold down another role at their organization, so long as they can reasonably complete the privacy-related work required of them. They also don’t have to be based in Europe, though Canadian organizations that appoint a data protection officer at their home office will need a representative in Europe. Data protection officers should become certified in GDPR, maintain a network of privacy experts, and they must be registered with a supervisory authority in an E.U. member country.
This is the new role of data protection officer in a nutshell, and the International Association of Privacy Professionals estimates that as many as 75,000 of them will be hired globally.
Since GDPR came into effect May 25, ITBusiness.ca has spoken with two data protection officers about their approach to the job and how they got there. Florent Gastaud is the data protection officer at Paris-based cloud computing firm OVH, which has operated a Canadian division since 2012 and recently expanded its data centre footprint in the country.
Gastaud says he was working as OVH’s data protection officer even before GDPR was enforceable. “We are the first European cloud provider and as such we are processing a huge amount of data,” he says. “We have a huge responsibility to protect this data.”
Kelly Bebenek is the data protection officer at Toronto-based social media analytics firm Sysomos, which was recently acquired by San Francisco-based Meltwater. She’s also the director of sales operations at Sysomos.
“My role spans a few swim lanes at Sysomos and it gives me a unique position to understand the impact and challenges of rolling out a privacy compliance plan,” she says. “When I attended my certification training I was the only person not in IT.”
Do you need to appoint a data protection officer?
There are three situations in which you require a data protection officer, Gastaud says. When there is data processing that’s carried out by a public authority in Europe, when you process personal data that requires monitoring of E.U. data on a large scale, or when the core activities of large-scale processing of special categories of data such as health information or political affiliation.
The Information Commissioner’s Office out of the U.K. offers a guide on data protection officers complete with a checklist.
All companies that meet the above criteria must comply with GDPR, regardless of size. Companies with more than 250 employees are required to keep more detailed records on data processed, including how long it will be retained, a description of the categories of the data processed, and any details of any transfers of that data outside of the E.U.
If you choose to not designate a data protection officer, your firm must write an official letter documenting why it is not necessary, Gastaud says.
Sysomos made the decision independently to appoint a data protection officer since it processes a lot of social data from Europe, Bebenek says. It also found its customers were asking about GDPR compliance as the deadline approached. Following the acquisition by Meltwater in April, it’s now in a situation where the company has two data protection officers – Bebenek and Meltwater’s appointee. Both positions are being maintained for the time being.
Who should be a data protection officer?
Who can be appointed as a data protection officer? “It’s a delicate question,” Gastaud says.
There are two aspects to consider – the skill set of the person that will do the role and the position they currently inhabit in the organization. When it comes to skill set, Gastaud says it’s most often some combination of legal and IT expertise that strikes the right balance.
The data protection officer must be a senior role that reports directly to the highest level of management. This position must be considered independent from other departments and not receive any instructions on how to exercise their duty from internal sources.
Here’s the ICO’s checklist for this position:
The data protection officer role can be balanced with another role, so long as all the required tasks can be reasonably completed. At Sysomos, Bebenek also wears the hat of global director of sales operations. She says her tasks as data protection officer take between five and 20 hours per week.
Gastaud says that if your company is controlling or processing a large enough volume of data, its possible more than one data protection officer will be required. “It depends if the company is a controller or a processor,” as well, he says, because companies that only control data should take less time to implement procedures.
When your data protection officer is chosen, be sure to register them with a supervisory authority in a European country. OVH registered in France, and Meltwater registered in Germany. The data protection officer should be the main point of contact for privacy inquiries and questions about customer data.
For companies that don’t have a data protection officer that’s based in Europe, they’ll have to hire a representative that’s present in the E.U. to act as a conduit. Many legal firms in Europe are offering such services.
What does a data protection officer do?
Both data protection officers were aligned on their first priorities after opening up their new office and sticking their nameplate on the door.
First, identify all the processing of personal data that’s taking place in the company. Understand what the purpose of collecting and retaining that data is, and how it’s stored and shared with any other parties. Once you’ve done that, you should have an idea of what corrective actions are needed.
“This helped to identify where we needed to focus our compliance plan,” Bebenek says.”In parallel with documenting the personal data, I also looked at what was absolutely required for GDPR and started to reverse engineer the project plan from there.”
Identify any third-parties that your company shares data with and whether they are processing data for you. Even if you’re just a controller of data, “you are still responsible for what they’re doing with your customer’s personal data,” advises Gastaud.
Beyond that, the data protection officer must cooperate with the supervisory authority they are registered with, provide advaice on data protection impacts, and perform with regard to the risk associated with processing operations. Refer to the GDPR Article 39 for a complete list of duties.
There will be some big differences in how a data protection officer operates based on the nature of their organization. But Bebenek offers one pointer that anyone in this role can take to heart – create a network of GDPR experts. She talks weekly with the data protection officer at Meltwater and also stays in touch with the other GDPR-certified professionals she met at her course.
“The GDPR regulation is being further developed and more understood each day because of this I recommend building a community of data proteciton professionals in your area or on LinkedIn,” she says. “Use them as a resource for when you get questions you haven’t thought about or if you want to see how other companies handle things.”
Do that, and you might still be data protection officer 400 days after GDPR became enforceable.