The arrival of the General Data Protection Regulation (GDPR) established a new role – the Data Protection Officer (DPO). Make no mistake, there’s a reason why Reuters recently referred to the role of DPO as the ‘hottest ticket in town’.
In the light of GDPR, organizations now have a duty to appoint a DPO if they’re a public authority, engage in the systematic monitoring or people or carry out certain types of processing activities. This role also caters for a previously rare breed of information privacy experts who are qualified to manage security, legal and ethical issues relating to handling customer and/or employee data.
That said, many companies not legally required to appoint a DPO are doing so in a bid to engage in data protection best practices and demonstrate compliance.
With the role of the DPO rising in prominence, it comes as no surprise there’s a shortage of potential candidates on the horizon. In fact, according to a recent study by the International Association of Privacy Professionals (IAPP) as many as 75,000 positions will be created in response to GDPR around the globe. So, how do you find the right person to fill the DPO’s shoes?
The DPO – top skills and responsibilities
Responsible for monitoring internal compliance, advising on data protection obligations and acting as the primary contact for supervisory authorities and data subjects, the role of the DPO is complex and wide ranging.
Conducting regular security audits and making recommendations that foster compliance with regulations and best practices across the organization, the DPO also undertakes the education of employees on compliance requirements and trains staff responsible for data processing.
All of which requires a solid understanding of the theory and practice of GDPR. It’s not enough to know what the law says, interpreting what this means in practice will be essential. Everything from how you operationalize things like the right to be forgotten, or the right to data portability.
Good communications skills are another must have. The DPO must be competent and confident at liaising with external stakeholders like regulators, and demonstrate delicate leadership skills when working with internal teams.
This will be vital, because maintaining GDPR compliance is a team sport that involves IT, marketing, operations and numerous other departments across the organization.
Why IT and cybersecurity professionals should consider the role
The GDPR sets out a series of very specific requirements for the DPO role that include offering guidance on risk assessments, countermeasures and data protection impact assessments.
This means DPOs must have significant hands-on experience in privacy certifications and information security standards certifications. Skills that will need to be founded on wide-ranging experience in IT infrastructure and IS audits.
Furthermore, because risks are constantly evolving, DPOs will need to comprehend how emerging technologies alter these risks.
All of this requires a wide range of technical skills and experience. Extending from an understanding of data privacy, through to information risk management and how to appropriately protect information related to its level of risk through people, processes and technology.
This makes it the ideal role for an ambitious IT professional that has an interest in all things related to data privacy.
Recruiting a DPO is not an easy task – everyone is looking for a DPO with significant years of GDPR experience. Organizations will need to take a more pragmatic role and explore if they have IT or cybersecurity professionals that could be developed into the role of DPO with the right training and coaching.