Lindsey Finch, recently secured the role of Data Protection Officer at Salesforce. She has been with the company for more than 10 years and currently leads its privacy and product, legal teams.
As DPO, Lindsey will be responsible for GDPR compliance internally and now serves as a point of contact between the company and supervisory authorities.
She will also work to ensure external customer compliance of the General Data Protection Regulation. In a statement, a spokesperson from Salesforce said: “We welcome this law as an important step forward in streamlining data protection requirements across the European Union and as an opportunity for our company to deepen its commitment to data protection.”
Do you need a Data Protection Officer too?
Before even going to the trouble of finding somebody suitable for the role, many organisations are uncertain as to whether or not they need to appoint a Data Protection Officer. Article 37 of the GDPR specifies that DPOs must be appointed if; you are a public authority (except for courts acting in their judicial capacity); your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
>See also: The General Data Protection opportunity
This is naturally excusing many organisations, however, where GDPR does not specifically require the appointment of a DPO, enforcement bodies, such as the ICO, consider the appointment as good practice.
Organisations who decide that they do not need a DPO are also being warned to consider how long they will stay compliant with the regulation without one, given that organisations without the obligation to appoint a DPO will have to fulfil the same responsibilities.
What does a DPO do and where do I find one?
A DPO’s role is rather wide-ranging. A detailed breakdown of their tasks is defined in Article 39, however, in short, their role involves making sure all data within a business complies with GDPR. Despite this being a simplified description, there is no getting away from how large of a task this role involves. The role essentially requires monitoring the collection of all data; justifying its possession, assuring secure storage, auditing vulnerabilities and deleting sensitive material.
This begs the question – who is qualified to be a DPO? According to the legislation: “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
Arguably this is a rather liberal definition as the legislation appears to give organisations the right to choose whoever they deem appropriate as long as they can fulfil the necessary tasks.
Interestingly, a DPO can be appointed from within an organisation or can be hired externally. However, this does not mean the position should be just passed to whoever they like. Firstly, if an organisation is looking to fill this position internally they will need to make sure that there will be no conflicts of interest with any other activities in the organisation, and if this does happen a report must be sent to the authorities.
The vague qualification requirements have arguably made finding a DPO very difficult. Although you may come across people who claim to be GDPR certified or GDPR experts, given that formal certifications in GDPR have not yet being created these titles are very misleading. Many organisations are picking legal talent to take up this role, however, without the framework to accurately assess the skills people claim to have, many organisations are likely to be hiring blind.