skip to main content

Data Protection is Everyone’s Business, but Should be Someone’s Job

AcxiomMay 23, 2018

One of the key facets of the GDPR in the EU, which goes into effect at the end of this week, is the mandatory appointment of a Data Protection Officer (DPO) for any organization that processes or stores personal data, whether for employees, individuals outside the organization, or both. These DPOs are ultimately responsible for overseeing the organization’s data protection strategy and implementation to ensure compliance with GDPR requirements. Considering the potential financial implications of non-compliance (up to 4% of a company’s worldwide annual revenue), it’s critical to have someone in charge.

 Why You Should Consider a DPO

With roles already focused on the use and security of data – Chief Information Officers, Security Officers, Marketing Information Managers etc. – is this newly minted job description relevant, especially for brands not operating in the EU? Should U.S. based companies consider appointing their own DPOs and why?

At Acxiom we spend a lot of time advocating for data ethics by design and the importance of building in a process for assessing data protection at all levels of the organization – it fundamentally is everyone’s business to protect consumer data. We train engineers to think about privacy and train privacy officers to understand engineering, and counsel our clients on operational data governance every day. Even with all the proper due diligence in place, we do believe most enterprises should consider appointing a DPO for two reasons – avoiding conflicts of interest and demonstrating a commitment to data protection both internally and externally.

As a rule of thumb, many leadership positions within the organization could conflict with the DPO’s role, and therefore does not allow them to serve in dual capacities. These include senior management positions such as CEO, COO, CFO, heads of marketing, HR or IT. Other roles lower down in the organizational structure could also be seen as conflicting if such positions or roles lead to the determination of purposes and means of processing.

Qualifications for Success

In an article from 2017, What skills should your DPO absolutely have?, the IAPP (International Association of Privacy Professionals) recommends that role “first and foremost requires an experienced professional”. He or she should have the seniority and management experience to be peers with other leaders within the organization, and the IAPP recommends the following qualifications:

  • Risk/IT: DPOs must have significant experience in privacy and security risk assessment and best practice mitigation, including significant hands-on experience in privacy assessments, privacy certifications/seals, and information security standards certifications.
  • Legal expertise/independence: DPOs must know data protection law to a level of expertise based upon the type of processing carried out. This suggests that DPOs should be licensed lawyers or otherwise highly well versed and knowledgeable of not only the GDPR and other relevant legislation (e.g. E-Privacy Directive) but also privacy and related laws in all jurisdictions their organization does business or outsources operations.
  • Cultural/global expertise: DPOs will likely be dealing with controllers and processors from different countries and therefore business cultures. He or she must have experience in dealing with different ways of thinking and doing business and have the flexibility to marshal these differences into a successful result.
  • Leadership/broad exposure:  DPOs will need to have leadership and project management experience, to be able to request, marshal and lead the resources need to carry out their roles. They should also have broad business experience to know the industries of the data controller and processor well enough to understand how privacy should be implemented to integrate smoothly with the way each company designs and markets its products and services and earns its revenues.

Some organizations are also considering outsourcing the DPO function altogether. This may be a good short-term solution, especially considering the limited talent pool. Many organizations should also consider IAPP training courses for their junior team members as a way to grow the skill set from within.

Why Now vs. Later

As with any new job role, DPOs are actively creating their own peer network to share best practices and create new codes of conduct. The earlier you appoint or hire a DPO, the more involved he or she can become embedded into a community of professionals that will drive the conversation forward and put your organization into a stronger position for the future.