Click to learn more about author Stuart Tarmy.
When is the Best Time to Appoint a DPO? What are Their Key Responsibilities?
As many companies are now aware, the European Union (EU) General Data Protection Regulation (GDPR) becomes effective on May 25th 2018, and will have a significant and possibly devastating impact on all companies that do business in the EU. Every U.S. company that does any business with EU residents needs to be in full compliance with the new regulations and be able to demonstrate the required organizational structure, technology, processes and reporting capabilities to the European Country Supervisory Authorities and regulators upon request. Even if your company has no physical presence in the EU, so long as you market to EU residents, even if it is through the web, you need to comply with the GDPR. Companies that don’t comply face very significant fines in the tens or hundreds of millions of dollars, as well as potential criminal liability.
The GDPR is a complex piece of regulation and the biggest overhaul of European data privacy laws in 20 years. It took over four years to finalize and will replace all local data protection laws in individual EU countries. In the past, European data protection directives were ambiguous, often not enforced and were left to the individual countries to define. The GDPR now puts ‘teeth’ into its data protection regulations, defines a common standard applicable for all EU countries and explicitly states that fines will be the maximum of €20 million or 4 percent of total global revenue. In addition, individual countries (such as Germany) can impose additional fines and criminal liability for non-compliance. Further, individuals may also make claims for damages.
The GDPR has many requirements that a company must comply with. This article will not address them all, but instead will focus on a newly mandated enterprise security leadership role required by the GDPR, the Data Protection Officer (DPO). Under the GDPR’s Article 37, all companies with over 250 employees must appoint a Data Protection Officer that must be, by law, independent and will report into the highest level of management of the company to ensure compliance. The Data Protection Officer’s independence is taken seriously, as the GDPR expressly prevents dismissal or penalty of the DPO for performance of her tasks and places no limitation on the length of this tenure.
The DPO’s Responsibilities
The Data Protection Officer is responsible for overseeing strategy and implementation of technology, tools and processes that ensure compliance with the GDPR. The DPO must be able to demonstrate to regulators that they have taken ‘best efforts’ to comply with three main areas of data responsibility:
- Discovery: Must discover and understand all the data in their enterprise, including both the explicit, known data and the ‘hidden’, undocumented data which can reside in enterprise systems, data lakes or in the cloud.
- Security: Must be able to show that the enterprise data is secure, including data governance, security protocols, encryption/masking, threat protection, data prevention and policy compliance.
- Disposing and Purging Data: Must be able to delete or purge any or all enterprise data (both known and undocumented data) upon authorized request of the country’s GDPR Supervisory Authorities or other legal entities.
In a significant change to past regulations, the DPO must now report data breaches within 72 hours to their country’s Supervisory Authority. In the past, companies would sometimes wait years before reporting data breaches such as email hacks.
When Should a Company Appoint a DPO?
As described above, the DPO is a mandated, executive level position with significant responsibility. Per the regulation, a company does not officially have to designate a DPO until May 25th, 2018. However, we believe that companies should hire a DPO immediately if they have not already done so for the following reasons:
- The DPO will be the company’s GDPR ‘expert’ with a singular focus on what needs to be done to ensure compliance. The DPO will want to be able to define, select and implement their own tools and processes to ensure complete data discovery and data protection across their known enterprise data, data lakes and ‘hidden’, undocumented data.
- In the absence of appointing a DPO, IT or Legal will often take the lead in developing and implementing the GDPR strategy that the DPO will then later own and have to sign off against. This may cause future problems because the DPO may not be in agreement or be comfortable with what was earlier implemented without them.
- There is a shortage of people who are qualified to be DPO’s, which requires knowledge of data privacy, law, technology and data management. The International Association of Privacy Professionals (IAPP) estimates that 75,000 DPO’s will be needed by 2018 to meet the GDPR requirement, with two-thirds of these working outside the EU. As the EU’s largest trading partner, the U.S. will need the most DPO’s, followed by China.
First Tasks for a DPO: Discovering their Data
The newly appointed DPO should be able to hit the ground running. Immediate tasks for the DPO will include:
- Discover and catalog all of the personal data in your enterprise, including data that resides in your enterprise systems, data lakes and ‘hidden’, undocumented data.
- Build a more secure data environment to ensure protection of your enterprise data.
- Monitor personal data for any breaches or non-compliance.
- Implement the tools and resources needed to meet the GDPR reporting and assessment requirements for the country Supervisory Authority and other regulators.
- Put in place a capability to purge or dispose of data upon authorized request.
We are less than a year away from when GDPR will be fully implemented, and the law won’t be waiting around for any organizations that are too slow to adapt in the meantime. For U.S. businesses that handle EU consumer data, now is the time to appoint a Data Protection Officer who can spend the next 11 months ensuring compliance with the GDPR regulations. Those who neglect to appoint a DPO and learn the ins and outs of the data privacy law could find themselves on the wrong end of a compliance penalty this time next year.