Jon Maron, Nortal’s VP of Sales and Business Development in North America, January 4, 2018
Businesses around the globe are preparing for May 25, 2018, the day the EU’s strict new General Data Protection Regulation (GDPR) comes into effect. To comply and continue serving European customers, U.S. companies need to get serious about GDPR. Some U.S. companies will have to appoint a Data Protection Officer (DPO). But which companies need a DPO and what form should that position take?
Article 37 of the regulation states that any controller or processor of data must appoint a DPO if their “core activities” require “regular and systematic monitoring of data subjects on a large scale.”
The text leaves room for interpretation, particularly on the definition of “large scale.” Therefore, any company that holds personal data on EU residents needs to consider their risk exposure.
Smaller companies have the option of using a DPO in the form of a purchased service. One DPO can serve several organizations. At the larger end of the scale, a dedicated in-house DPO is the only way to go. In this case, the DPO should be a C-level management position.
The answer is rooted in the unusual responsibilities and dual role of the DPO.
On one hand, the DPO is tasked with making sure all the company’s business practices are GDPR compliant. This could entail far-reaching changes to business practices that only someone at the top level has the insights and power to make.
On the other hand, the DPO has to act as policeman and whistleblower, at times reporting to a Data Protection Authority in an EU member state. The GDPR stipulates that the DPO reports directly to the highest management level and cannot be dismissed or punished for performing his or her duties.
This year, the Data Protection Officer will be the new member in C-suite
The regulation itself doesn’t define qualifications for the DPO other than “expert knowledge of data protection law and practices.” In practical terms, the ideal DPO would have the necessary legal knowledge as well as a deep enough understanding of your business practices and IT systems to guide you through the compliance process.
Finding the right person to fill the role may be a challenge. Ultimately, however, it’s senior management that will be held responsible for any GDPR failures. Companies that want to minimize their risk will find their DPO sooner rather than later.