[BreachExchange] The Rise of the Data Protection Officer

[Destry Winant]

https://securityboulevard.com/2019/06/the-rise-of-the-data-protection-officer/

As global organizations doing business in the EU settle into the
second year of enforcement of the General Data Protection Regulation
(GDPR), the sweeping data privacy rules have spurred a boom in the
hiring of data privacy professionals in the past year. At the spear
tip of this hiring spree are data protection officers (DPO), a role
that’s been put fully in the spotlight by GDPR mandates.

Sometimes a legal role, sometimes an auditor and sometimes an
enterprise risk or compliance officer, the DPO is a data protection
and privacy champion for an organization. The purpose of the role is
multilayered: The DPO is responsible for both educating and building
awareness within an organization regarding how to protect the privacy
of individuals during all stages of data processing. The DPO also
serves as an auditor and watchkeeper for privacy practices and is in
charge of keeping records on privacy controls and lapses.
Additionally, the DPO acts as a point person for the organization to
set up external communication with those wanting to exercise their
data privacy rights or lodge complaints about how their data is being
used.

The DPO position is not new—it’s a common role in Europe and was
mandated for many firms operating in Germany prior to GDPR. But GDPR
mandates have broadened the reach of DPO positions worldwide.
According to research released a few weeks ago from the International
Association of Privacy Professionals (IAPP), a surge in DPO
appointments has taken place in the last year. Back in 2017, IAPP
conservatively estimated that GDPR would create the need for about
75,000 DPOs worldwide. However, its latest research shows that the
number of DPOs working in Europe alone is actually closer to 500,000.

Overall, the rise of the DPO is the tip of the iceberg when it comes
to an overall surge of privacy professionals hired worldwide. GDPR is
just one factor of many, as breach-weary consumers push businesses
with their wallets and their political pressure to get serious about
protecting data. Fortune reported data privacy job postings shot up by
80% last year, after four years of decline in these kinds of positions
prior to 2018.

The widespread appointment of DPOs comes undoubtedly as a result of
the broad requirements by GDPR for large organizations to create these
roles. GDPR has a three-part test for organizations to determine
whether they need a DPO. If the organization processes data as a
public authority or body; if it conducts “regular and systemic
monitoring of data subjects on a large scale”; or if processes a
“large scale of special categories” of data such as personal data
relating to criminal convictions, then it must hire a DPO.

The vagueness of the “large scale” description and the increased
enterprise reliance on personal information for business analytics and
digital transformation efforts are essentially pushing a wide range of
global organizations to appoint a DPO. Some large organizations are
bringing on multiple DPOs aligned with different lines of business, as
well.

Some of these DPO positions are outsourced, while some are new hires.
In many instances, these are existing privacy professionals who got an
added title and official responsibilities. For example, there is a
degree of overlap between DPOs and chief privacy officers (CPOs).
However, a recent IAPP study shows that the average salary for a CPO
is $220,000, while the typical DPO makes $88,000. The difference
indicates the DPO lies farther down the totem pole, which could pose
cultural problems for organizations if these professionals are too
green or not influential enough to move the needle on privacy progress
at their company.

“Just appointing a DPO isn’t enough,” said Trevor Hughes, CEO of IAPP.
“Organizations must ensure that DPOs are trained and qualified to
address one of the defining tech policy issues of our time: protecting
privacy and individuals’ data.”

The question for security professions is, How much these privacy
positions will overlap with and reach into their daily work lives?

While some professional chatter has bantered about the idea of
appointing someone like a CISO as a DPO, the reality is that though
these roles are highly interrelated, they’re distinct functions. As
Guy Leibovitz of Cognigo recently explained in an opinion piece for SC
Magazine, part of the role of the DPO is in “… actively auditing the
advice decisions and policies of the CISO, as well as all other
departments,” which would create a conflict in doubling up in those
roles.

Instead, CISOs and privacy officers must learn to collaborate closely
to work toward mutual privacy goals in their own function.

Sarah Taïeb, data protection officer at Ipsen Group, told Capgemini in
an interview regarding how the dynamic works in her organization: “We
meet very regularly to ensure that I review her IT policies, and she
reviews my employee policies, for example,” she said. “It’s privacy by
design, but it’s also security by design because if you don’t have
security, you don’t have privacy. The first step is security to make
sure that all of the personal data is secured.”