You Need a Data Privacy Officer. Look for These Four Skills
Polish the Job Requirements
Privacy is about keeping secrets, but it is sure getting a lot of attention recently. At the center of that attention is a new, emerging role: the Data Protection Officer (DPO). Most notably, the recent GDPR regulation, designed to strengthen and unify data protection for individuals within and doing business with the EU, mandates a DPO for organizations that meet certain requirements. A recent study predicted that at least 28,000 new DPOs will be needed in the wake of the GDPR regulation. Indeed, when we spoke with Daniel J. Solove, an international expert on privacy law, he emphasized the importance of even American businesses filling this role to help protect sensitive data and consumer privacy.
As your organization looks for candidates, prioritize the following four qualifications.
This is listed as the first qualification for a reason. The ultimate job of the DPO is to inform other organizational leadership of the latest developments in data security law. The DPO need not be a lawyer, but he/she should be able to digest, understand, and communicate developments in relevant laws such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act, and other regulations that mandate specific security standards. Leveraging the DPO in this capacity should happen before a security control is selected.
For example, if you are a company that processes consumer credit card information, the DPO can inform you of the encryption standards mandated by the Payment Card Industry Data Security Standard (PCI-DSS). By following these regulations and the guidance of the DPO, you can disprove negligence and help your organization avoid legal consequences in the event of a data breach or other incident. It’s the job of the DPO to stay on top of such regulations so your organization can adapt along with technology standards.
The world of compliance is a complicated place, so the DPO should be able to discuss data security issues in plain language with all stakeholders. When talking to executive leadership, the DPO should be comfortable translating dense technical jargon into high-level business outcomes. At the same time, he/she must be detail-oriented, directing and overseeing the data security policy for the entire organization. The DPO should understand all the intricacies of compliance law, finance, information security, and business management – plus be able to brief managers at every level of the organization.
For most midsize and large companies, having one person to oversee all data protection efforts isn’t enough. For a DPO to be most effective, he/she should have access to sufficient resources, as well as a fully-staffed, experienced team to carry out the work.
Not only should the DPO be expected to interface with the Chief Information Security Officer (CISO) and the privacy team they supervise, but he/she must also be prepared to oversee training for the organization’s entire workforce. Everyone in the organization – from the CEO to the Intern – needs to be cyber literate. A successful DPO will understand the importance of education. Every employee should have a comprehensive understanding about privacy and data security, and education should be more than just a routine “check the box,” training.
Given the fact that the DPO will manage a team and interact with individuals across so many levels of the organization, he/she must be comfortable with working with and educating others.
Can strategic thinking be taught? That question has prompted an enduring debate among researchers studying leadership. Both Sun Tzu and Carl von Clausewitz suggest that strategy isn’t an academic pursuit – it’s an art form.
Learned or innate, strategic thinking is a skill that your DPO should have. Your DPO must understand the security trade-offs associated with your organization’s business decisions. Often, these decisions are framed as dollars-and-cents calculations. However, there are also intangible risks to consider, such as the loss of customer trust and reputational damage your organization might face in the aftermath of a data breach. The DPO must act decisively despite conditions of uncertainty, while always balancing consumer privacy with business considerations.
First Step in DPO Hiring– Cyber Literacy
In order for a successful DPO hire or appointment, organizations must understand the specific data protection needs of their respective organizations. Boards and C-suites need to be able to articulate and respond to data protection issues, just like they need to understand and guide corporate strategy around cybersecurity.
At N2K, our Cyber Resolve cyber risk programs for boards and executives focuses on how cyber risk influences a business’s broader enterprise risk. To learn more about how to lead your cyber culture change from the top, check out N2K’s private training delivered in your boardroom, designed specifically for Boards and Executives.