Skip to content ↓ | Skip to navigation ↓

If the GDPR (General Data Protection Regulation), the EU’s data protection harmonisation project, was to become Hollywood movie, its genre would most likely be horror.

Focus on the regulation over the past twelve months has been mostly aimed toward its penalties, with scare stories in no short supply. The GDPR has been called many things; visionary, giver of rights, stress inducer, and even destroyer of marketing, but never a job creator.

Yet for many aspiring data protection professionals, it is precisely that.

The DPOs Grand Entrance

Buried deep in the pages of the GDPR, Article 37 gives rise to the creation of a new supervisory appointment referred to as a DPO (Data Protection Officer). This mysterious data protection superhero role – a path upon which none have walked before – can be better understood from the following five points:

1. Public Authorities Must Appoint

Public Sector Information Security departments will be welcoming a new addition to their team under the GDPR. All public sector organisations, with the exception of the courts, that process the personal information of data subjects must appoint a DPO to oversee processing activities. The courts and in some cases law enforcement are omitted from various parts of the GDPR to prevent it from becoming a hindrance in the effort to maintain public safety.

2. The Role is Optional but Recommended for Most Organisations

There exists an interesting mixture of information available online suggesting that organisations larger than a specified size must appoint a DPO. However, this is untrue. The GDPR simply says that a DPO is necessary if an organisation’s activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale or when processing special categories of data, such as those relating to criminal convictions and offenses. The ambiguity is such that it may be in the best interests of most to consider creating the role for risk-containment purposes even if there is no obvious requirement.

3. DPOs Must Have Demonstrable Expertise

From the very beginning of the GDPR’s inception, the EU has been resolute in avoiding it becoming a tick-in-the-box compliance activity. The role of DPO is no different; it cannot be nominally assigned to an unqualified member of staff. Instead the regulation calls for DPOs to have expert knowledge of data protection law and practises.

4. They Must Be Accessible to Data Subjects

In addition to supervising the data processing activities of the data controller/processor and ensuring its compliance, the DPO is there to exercise the rights of data subjects. The name and contact details of your DPO must be published on any personal data processing related reports and crucially on the organisation’s public website.

5. Shared DPOs or vDPOs are Allowed

Most small- to medium-sized businesses across Europe are unlikely to require the services of a DPO on a full-time basis. In recognition of this, the GDPR accepts that DPOs can be shared across organisations so long as their role in each is not compromised or diminished by another. This has already spawned the creation of a new service known as the virtual DPO. A third-party outsourced offering that offers a DPO presence for an agreed number of days per year.

In short, the position of the DPO is intended to place a personified GDPR rule book into organisations handling and processing the personal information of data subjects. Rather than have the supervisory authority (the ICO in the UK) attempt to police the enforcement of the regulation, a hierarchy of sorts allows this responsibility to be passed down to each DPO. A one-stop-shop role for all things data protection.

DPO for Hire

For organisations that already have an Information Security Officer, it makes simple sense to merge the roles through additive training. After all, there are many nods to the ISO27001 standard in the articles of the GDPR, something your ISO will be already familiar with. For smaller organisations or those that are unsure if they even need DPO services, the flexibility of a vDPO option is a better and more cost-effective proposition.

While the negative feelings about the GDPR are subjective, its job creation prospects are not. Expect to see plenty job adverts for data protection officers adorning the websites of recruitment consultants in the years to come. The DPO is here to stay.

 

Chris PayneAbout the Author: Chris Payne is Senior Technical Consultant at Infinigate UK. With 9 years of experience working in IT security, Chris has a wealth of knowledge around information security and holds a GDPR certification under IBITG. In addition to this, he has worked on some of Infinigate’s largest deployment projects and regularly appears as a guest contributor to IT security related blogs, whitepapers and articles. You can follow Chris on LinkedIn and Twitter.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

SANS White Paper: Security Basics
  • Niko Bel

    Chris, nice write-up but your conclusion in 2.’The ambiguity is such that it may be in the best interests of most to consider creating the [DPO] role for risk-containment purposes even if there is no obvious requirement’ is overkill, definitely for SME. The average brick factory does not need a DPO. If in doubt, ask yourself: 1. are we a public sector organization? 2. is our main business activity the regular and systematic monitoring of data subjects on a large scale? 3. are we processing special categories of data, such as those relating to criminal convictions and offenses? If the answers are all negative, you can decide you do not need a DPO. The only risk-containment activity recommended then is to document your analysis and your decision. You still need to comply with the rest of the GDPR requirements, of course.