When the General Data Protection Regulation goes into effect in May, it will set forth a number of requirements for organizations that store and process the personal data of citizens of the European Union. One such requirement, according to Article 37, is that many organizations will need to hire someone to take on the GDPR data protection officer role.
The GDPR does not list specific qualification criteria for the data protection officer role beyond stating that the officer must have "expert knowledge of data protection law and practices." The regulation does, however, list the data protection officer's responsibilities:
- keep controllers informed of their responsibilities and obligations as they pertain to data protection;
- communicate to data subjects their rights pertaining to the handling and use of their data;
- advise the organization as to how the data protection rules should be interpreted and applied;
- create and maintain a registry of the institution's processing operations;
- notify the EU of any intended processing operations that could infringe on the data protection rights or freedoms of EU citizens;
- ensure the organization maintains ongoing data protection compliance;
- respond to any applicable questions or complaints;
- act as a point of contact for the European Data Protection Supervisor and facilitate requests for inspections, investigations and so on; and
- inform the organization of any failure to comply with applicable data protection rules.
The impact of the data protection officer
The introduction of the data protection officer role into organizations that are subject to the GDPR is sure to have at least some impact on the organization's data protection efforts. But what can such organizations realistically expect?
Organizations with strong data protection initiatives in place will typically find that few significant changes are required at the IT level. They may find that the majority of the related changes pertain to workflow and documentation requirements.
The newly appointed GDPR data protection officer role will encompass direct access to both the IT department and the executive staff to learn how the business operates and what compliance initiatives are currently in place. Organizations may find that they need to budget for more overtime because of the demands that the organization's compliance initiatives make on the employees' schedules.
The introduction of a data protection officer will result in some organization-level changes. In addition, an organization that wants to ensure GDPR compliance should also consider the biggest challenges for the person who will be filling the data protection officer role. This type of forward thinking will make it easier to overcome those challenges and move forward with protecting the organization's data.
Challenges for the data protection officer role
Because every organization is different, the GDPR data protection officer role will face a variety of challenges. In some organizations, for example, the biggest challenges are likely to be cultural. Compliance officers are often the least popular people in a given company, and so, the data protection officer may find that he or she is treated by co-workers as an unwelcome bureaucrat who is there to make everyone's life more difficult. In such organizations, the greatest challenge for the officer may be to keep co-workers from trying to circumvent the compliance initiatives.
In other organizations, the data protection officer's biggest challenge is likely to be that of establishing an initial state of compliance. Enterprise-class organizations own vast repositories of data, and figuring out what data the organization actually owns, where the data is stored, how the data is being used and what security measures are in place is sure to be a monumental undertaking.
Establishing GDPR compliance is going to be a big responsibility for regulated organizations. Having to work with a data protection officer will be a significant change for the IT department, who may be used to working autonomously. At the same time, the GDPR data protection officer role will also face considerable challenges and will depend on the IT staff and executive staff to help get the job done.
Data protection officer talks privacy in the Salesforce cloud