In January 2017, I began serving as the IAPP’s new data protection officer. Like many IAPP members, I’m tasked with bringing my employer up to speed on implementation of the European Union’s General Data Protection Regulation, now just one year away from coming into force.
Over the next 12 months, this blog — DPO Confessional — will reflect that journey. We hope you’ll learn from it, or at least enjoy knowing you’re not alone, and that you’ll feel free to provide your own comments and points of view along the way.
Meet the DPO
The IAPP has more than four thousand members in Europe, and anticipates rapid growth in the coming months and years with the GDPR’s mandatory DPO requirements calling for tens of thousands of new privacy professional positions in the EU and around the globe. Regardless of whether the IAPP’s “core activities” involve processing EU citizens’ personal data on a “large scale” as set forth in Article 37, the IAPP is heeding the Article 29 Working Party’s advice to interpret this provision broadly and appoint a DPO.
Why me? There are several reasons. For one, as the IAPP’s Research Director I have been studying and writing about the GDPR, and the DPO role in particular, since January 2016. This gives me a head start to fulfilling the most important DPO credential, which is an “in-depth understanding” of the GDPR. My role also requires that I understand the various flavors in which privacy professionals come, as well as the skills and resources they need to perform their jobs. By serving as the IAPP’s DPO, I hope to better relate to and understand the professionals our research supports.
The research director is also insulated from decisions about using personal data for marketing or related purposes, allowing me to avoid conflicts of interest. Through more than 20 years as a practicing attorney, moreover, I have developed some of the “soft skills” useful to the DPO job, including issue spotting, fact gathering, risk analysis, handling business affairs with confidentiality, teaching others about the law, and communicating with people in a variety of roles inside and outside the organization, including with regulators.
To be sure, I do not believe the DPO must be a lawyer; but I hope my law practice background might offer my employer advantages, especially in working on vendor agreements, drafting policies, and documenting privacy practices.
Early Days
Like most DPOs, of course, I do not work alone or in a vacuum. The IAPP has had an internal privacy professional for many years — Membership Director Kimberly MacNeill — and she has trained the staff to care about privacy issues and spot them early.
As I have made my way through the company, meeting with department directors to better understand data-handling practices, I have been pleased to find a privacy-sensitive workforce and an extremely resourceful technical staff willing and capable of creative fixes.
Privacy practices are always a team effort. The DPO here at the IAPP will serve as the point of contact for anyone raising a privacy concern, work with management to continuously improve data governance, and participate in negotiating vendor agreements for privacy and security controls. But much of the work will be with IAPP programmers and database managers, events and membership staff, and others throughout the organization who collect, store, manage and use our members’ personal information.
This summer I’m lucky to be working with a law student from the University of Maine School of Law who won an IAPP internship as the school’s first Privacy Fellow. Here’s a partial list of what we’ll work on together: (a) updating the IAPP privacy statement; (2) creating a standard (but adaptable) vendor agreement with data processors; (3) trying out new technical tools for privacy impact assessments, record keeping, and the like; (4) going through each article, and the accompanying recitals, of the GDPR and mapping them against current practices; and (5) making recommendations to modify or adapt our practices to work toward compliance.
This serves the dual function of helping me fulfill my DPO duties while training another new privacy pro!
Future Blog Posts
Many of my next posts will track the major issues raised in the Top Ten Operational Impacts of the GDPR, starting with consent and the vexing problem of unwanted email.
Of course, these posts will have to walk the fine line between transparency and member engagement on the one hand, and breach of confidentiality or admissions against interest on the other. But privacy professionals will agree that privacy is a process, and perfection is a worthy but often elusive goal.
I’m looking forward to a productive and educational year.