Of all the new obligations created by the EU General Data Protection Regulation, perhaps the one most interesting to members of the IAPP is the mandatory DPO. Does this represent a vast new ocean of great job prospects? Will organizations simply task someone already on staff with the role? Where will the role sit in the organization? Is it even a job anyone would actually want?

Conversations with chief privacy officers and lead privacy counsels reveal that many organizations have still not decided how they’ll handle the DPO role. At the IAPP Data Protection Intensive in London this spring, Citi’s legal and operational privacy leads spoke to their deliberations and noted no decision has yet been made. Similarly, this past week at the Data Summit put on by the Irish government in Dublin, the EMEA privacy compliance manager for Janssen Pharmaceutical, part of Johnson & Johnson, similarly reported during the IAPP's DPO workshop that internal deliberations continue.

Facebook, however, used the Data Summit to report it has made its decision: The data protection officer will sit within its global privacy policy team, not in legal, and will reside in Ireland, where Facebook has its EU headquarters. In fact, Facebook has posted the job and is actively recruiting.

“The DPO could have been located in a number of different functions across Facebook,” Facebook Global Deputy Chief Privacy Officer Stephen Deadman told The Privacy Advisor, “and we spent some time debating this. But, in any event, the DPO role is somewhat unique and straddles traditional functional boundaries. So, this choice just reflects the way Facebook is organized.” 

Facebook has a relatively large privacy team, in general, and Deadman noted the program has always been “cross-functional. We don’t have a single privacy team because so many functions across the company are involved in dealing with and managing aspects of privacy and data protection — from product development to engineering to design and user experience, research and insights, communications, and security, as well as policy and legal.”

The job description also provides insight into how Facebook has interpreted certain parts of the GDPR’s Articles 37 through 39, which outline the role and responsibilities of the DPO. What does “expert knowledge of data protection law and practices” mean? Facebook is requiring 10 years relevant work experience. The company is not, however, requiring a law degree. Rather, Facebook would like to see “excellent academic credentials — advanced degrees preferred.”

In fact, Facebook specifically considered, and dismissed, having the DPO sit on the legal team. “Within our legal function, we have a specialist data protection and privacy team, headed by Yvonne Cunnane,” Deadman said. “This team will continue to provide the best legal advice on data protection and privacy to Facebook. While working closely with the legal team, the DPO performs a different role. An important part of the DPO’s role is operational. Just as important as giving advice and guidance is monitoring processes and systems, putting in place new processes and documentation for compliance, and working with cross-functional teams to ensure we have the best arrangements to deliver compliance in practice. There is, therefore, a strong programmatic element to the role.”

Further, the DPO role has specific duties around communications with data protection authorities, Deadman noted, and “Facebook’s external engagement with data protection regulators sits primarily with the global privacy policy team,” which further pushed Facebook in the direction of placing the DPO role there.

Of course, Facebook’s job description points to the difficult nature of filling the role. In addition to the experience and education required, Facebook is looking for someone with “extensive experience engaging with data protection authorities,” someone “experienced at presenting to executive management at the very highest levels,” someone with knowledge not only of technology issues but also technology’s potential social and economic impact. Heck, they even have to be an excellent writer.

How many data protection experts are out there with the requisite qualifications? Facebook, and a host of other organizations inside and outside Europe, are about to find out.