The Data Protection Officers required by the new European General Data Protection Regulation for specific organisations can be almost impossible to find. But there is a rare breed of data management-savvy cloud providers that are inherently well-placed to fill the gap.
Coming into force on May 25, 2018 and covering all the personal data of EU citizens anywhere, the GDPR requires many companies to appoint a data protection officer (DPO). This is a new role that could leave many organisations unclear about whether they need one, what it involves and who can do it, until it is too late.
Who needs a DPO? The majority of organisations
Before the technicalities of the role are even considered, many businesses will be uncertain as to whether they need to appoint one of these new officers. Article 37 of the GDPR specifies that DPOs must be appointed by: all public authorities, with the exception of courts; any organisation carrying out systematic monitoring of individuals on a large scale; or where the core activities of the company involves the processing of data relating to criminal convictions and offences or so-called “special categories” such as genetic data, health data, racial origin or sexual orientation.
This will of course excuse many organisations, yet even where the GDPR does not specifically require the appointment of a DPO, the ICO and other enforcement bodies regard the creation of the post as a matter of good practice. In addition, any organisation deciding it does not need a DPO should consider how long it will stay on the right side of the regulation.
After all, even if an organisation does not need a DPO, it must still fulfil the same responsibilities – meaning a decision not to appoint a DPO can actually make fulfilling GDPR obligations harder.
A huge range of responsibilities – but who is qualified?
A DPO’s responsibilities are enormously wide-ranging. In short, it involves supervising all data within a business that is subject to GDPR rules. But this simple definition hides the mammoth scope of the task. It will include monitoring the collection of data, justifying its possession, assuring secure storage, auditing vulnerabilities and in many cases overseeing deletion of valuable material.
This breadth begs another question – who is qualified to be a DPO? The requirements can make the DPO’s job description sound like some kind of data protection superhero, capable of translating legal requirements into both processes and technical needs, overseeing awareness-raising and staff training, all while empowering not restricting the company’s wider vision.
>See also: The General Data Protection opportunity
And in case this wasn’t enough, it stands to reason – and is in fact specifically mentioned in the GDPR guidelines – that the more complex or high risk the data processing activities are, the greater the expertise of the DPO will need to be.
Not a role for Information security personnel
This is a demanding set of responsibilities and often the confusion between privacy and security means they are handed to those responsible for security, which is the wrong approach. This is because anyone with an information security remit is charged with protecting the company and its data, whereas the responsibility of the DPO is to protect the interests of the data subject, even if these appear to clash with those of the company.
For a DPO there should be no conflicts of interest with any other activities in the organisation and if a breach occurs, a report must go to the authorities – it cannot be a matter for debate.
Choosing the right alternative
When the role is reviewed, it is a miracle anyone wants to be a DPO. This hardly makes recruitment easy, especially as the GDPR deadline approaches and qualified personnel are in short supply.
The complexities, the demands of the job, the skills shortage and the cost of appointment – all these factors will inevitably lead to a more pragmatic approach where organisations rely on external expertise: a “DPO-as-a-service” concept.
There is a range of possible options for such input, ranging from lawyers to management consultants. But despite what many of these service providers may claim, meeting ongoing requirements is not solved with an audit and list of recommendations.
This will enable only a quick fix, and not ongoing observance. This requires a far more rigorous understanding of the way data comes into and moves through a business, including, but certainly not limited to, the technology involved.
Indeed, where an organisation is advanced enough to have already moved to the cloud, the additional dynamic to data usage that the cloud brings would logically make cloud providers the more suitable partner – provided they are not only cloud experts, but also genuine specialists in data management.
Many cloud providers purport to accommodate data management and privacy in their services, but few in fact have the history, knowledge or expertise to back it up. For many, data management is considered almost an add-on, in much the same way as an additional service such as back-up or disaster recovery.
In fact, only cloud providers that have built their original services around data management principles rather than the cloud basics of flexibility, uptime and scalability are suitably qualified to offer data management services – and DPO-as-a-Service most of all.
This rare breed – capable of simultaneously advising on and implementing cloud strategy while also steeped in data management and surrounding legislative frameworks, including GDPR – can offer immediate access to not only consultancy but also sophisticated tools that can assist in fulfilling obligations on an ongoing basis.
Businesses are understandably concerned about the need for DPOs, and are naturally seeking external support in advance of the May deadline. So where the business’ data is held in the cloud, it is only natural to look to the cloud provider for advice on data management – but only if that provider genuinely has the suitable track record, focus and expertise.
Sourced by Sophie Chase-Borthwick, Global Lead – GDPR Services, Calligo