The GDPR:
Coming to a US Company Near You
As we’ve discussed in a previous post, the General Data Protection Regulation (GDPR) is a significant new EU privacy regulation with the potential to impact American businesses. As it exists right now, the regulation would apply to US companies that process personal information and (1) intend to offer products/services to people in the EU, or (2) monitor people in the EU. While the GDPR isn’t slated to go into effect until 2018 – and many companies have joined the new EU – US Privacy Shield Framework – there is a lot of uncertainty surrounding how those two rules will interact and what impact they will have on US companies. Today we’ll explore one component of the GDPR: The Data Protection Officer.
Breaking Down the Data Protection Officer
One of the more interesting and challenging requirements of GDPR is the assignment of a mandatory Data Protection Officer (DPO) for companies that meet certain requirements. For instance, companies that process data as a “core activity,” and require “regular and systematic monitoring” must have a DPO, no matter their size. Similarly, companies must designate a DPO if they process “special categories” of data (e.g. race, ethnicity, political opinion, religious beliefs, health information, etc).
Given the fairly vague definitions of core and large scale activity, it’s likely a fair number of U.S. companies will be subject to the requirement to have a DPO. For example, an obvious company like Facebook would be subject to this, but so would smaller internet companies like WhatsApp (even before they were acquired by Facebook). A recent study predicted that at least 28,000 new data protection officers will be needed under the GDPR.
While there is some guidance available about the qualifications of a DPO, the reality is that this will likely be a challenging role to fill. The DPO will need to possess both specialized technical knowledge as well as critical regulatory knowledge. Many have advocated thus far that this role will likely be filled with a legal or compliance expert; but preparing to potentially implement a DPO goes well beyond privacy issues.
The Data Protection Officer Skills Gap
Lest you think that it is a simple matter of finding a regulatory compliance or legal expert, think a little bit more more about what that requirement really means. In addition to advising the company on its obligations to comply with the GDPR and other applicable data protection laws, the DPO will also have to manage internal data processing activities. Companies that process large amounts of personal data, like Shopify or MailChimp, do so using IT infrastructure, technologies, and databases. That means a DPO responsible for managing those internal activities must also need have significant technology and cybersecurity background. The relationship becomes even more complicated since these specific processing services are often used by other companies that control a lot of data, even if they don’t process it themselves. The complex realities of modern business make it even more critical to fully understand both the technical and business risks of processing that data and develop procedures to properly handle and secure it. Even though the GDPR allows a group of companies to hire one independent DPO, there are still only a select group of candidates with all the required skills and background to effectively serve a single organization.
Cybersecurity (and Data Protection) Culture Starts at the Top
In order to make for a successful DPO hire or appointment, organizations must understand the specific data protection needs of their respective organizations. Boards and C-suites need to be able to articulate and respond to data protection issues, just like they need to understand and guide corporate strategy around cybersecurity. When executives meet a baseline of literacy in data protection, they can better identify the traits, background, and skills required of a DPO. Moreover, they will be equipped to understand and evaluate the updates they receive from the DPO. The issue of data protection must have a seat at the executive table.
The first step to enterprise-wide cyber literacy is to institute a culture of security across the entire organization. This culture fosters effective communication between executives, data protection officers, and security leaders, allowing for a transparent discussion of cyber threats and corporate vulnerabilities. That type of culture can only start at one place: the top.
At N2K, our executive cybersecurity training programs emphasize how cybersecurity issues impact all aspects of business operations and enterprise risk. To learn more about how to lead your cyber culture change from the top, join us at our Cyber Resolve seminar in NYC on May 1. Prefer private training for you and your fellow members of the C-Suite? Contact us. We’ll bring the education to you.