You all know the deadline by now. The EU’s General Data Protection Regulation will apply from 25 May 2018. This means that organizations must have implemented all the requirements it imposes by that date. Your to-do list is long, the deadline is tight, and team capabilities are limited.
The appointment of privacy officers is also part of the to-do list, if your processing falls under the criteria. According to CEDPO paper.
This time it is different.
The GDPR does not only bring an obligation to appoint DPOs, but it also tells us about the main tasks, the job-holder profile, the reporting line, and the modus operandi of this professional.
To shed more light on this issue, we selected some of the practical questions we hear from businesses on a daily basis. Until further clarification is available from the Article 29 Working Party or from the DPAs, we would like to share some food for thought which may inspire your work (and may also give you some comfort that you are not alone!).
Here we go.
When shall we appoint our DPO?
Since the GDPR will apply at the end of May 2018, you won’t be penalized for the lack of a DPO until then. However, appointing a DPO earlier can bring some benefits.
First, you will have an extra pair of hands to help with the GDPR preparations. Second, you will not have left your DPO search until the last moment when the talent hunt is in full gear! Also take note of recruitment lead times: “Time-to-approve” is your internal headcount approval process; “time-to-recruit” is needed to reach out to the potential candidates and the whole recruitment process; and “time-to-start” is the period between an offer acceptance and the actual start date.
European countries have strict labour laws and long notice periods. It is not unusual to wait for a good candidate for two to three months as of the offer signature. So, act timely!
The CPO and the DPO – is it the same thing?
There are some similarities but yet there are differences.
The chief privacy officer is the C-level executive in an organization in charge of the strategic management of a corporate privacy program – defining the organization’s privacy vision, developing a strategy and selecting the right governance model, developing and implementing a framework suitable for the entire organization, and finally the performance management of this compliance program.
The European DPO role as described in the GDPR seems to be more operational than this.
They can co-exist within the same global privacy office, which is led by the CPO and composed of a core team of specialists and a bigger team of generalists spread across the organization. Specialists develop policies, procedures, and tools applicable across the whole organization, while generalists – regional privacy managers, local DPOs – act as trusted advisors to their business lines ensuring that the field practices are compliant to corporate standards and the applicable laws, including and foremost with the GDPR.
What is the job holder profile here?
In any recruitment process, the ideal candidate requirements are a combination of hard and soft skills. Hard skills may include domain knowledge, work experience or languages, while soft skills could include leadership, communication, and negotiation. Together these skill sets form the set of qualities to perform the job. It is no different for the DPO role. The GDPR does not list all the qualities but gives a few examples, such as the type of knowledge and the ability to perform the tasks.
What type of knowledge?
Our DPO must be knowledgeable about data protection law. In our view, this cannot be limited to the GDPR as there are other privacy-related EU regulations and Member State laws where there is an interaction with the GDPR – telecom laws and employment laws, for example. This view is strengthened by one of the DPO tasks, which is “to monitor compliance with the Regulation and other regional/local privacy provisions…”
Knowing laws, though, is not enough.
Our DPO also needs to know about the operational aspects. These can include privacy practices such as impact assessments, handling data subject’s requests, employee monitoring, vendor contracts, and breach management.
What “level” of knowledge should we expect from our DPO?
The Regulation asks us to seek “expert” knowledge. However, looking at the Recitals, we understand that it is up to us to define the level of expertise in relation to our type of processing and the level of protection it requires. This would mean that companies which face greater risks – because they are data-driven or they process sensitive data or they rely heavily on outsourcing, for example – must look for someone who has a high level of expert knowledge in law and practices.
On the other hand, if the processing is limited in type, scale or geography, then it could be fine to recruit someone who has a lower level of expert knowledge. The use of word “expert” here is very confusing as it – by default – refers to somebody who is very knowledgeable. Plus, it sounds weird to say “little-level expert knowledge.” But you’ve got the point: You need to decide on the level of expertise you need from a DPO.
Another listed quality here is the “ability to fulfill the tasks.” Which skills can enable a person to fulfil all the listed tasks?
Obviously, one’s domain knowledge and previous experience would definitely enhance this ability. However, there are other qualities that are equally important to perform the job well. We are looking for a professional with superb interpersonal skills at all levels of the organization; an approachable person who enjoys sharing knowledge but at the same time knows when to make his or her point clear; someone who is able to work in a structured way under minimum supervision; someone who is good in risk-assessment, has strong PR skills, with a good command of languages – as the DPO is expected to be in direct communication with data subjects and the DPAs – and finally someone tactful enough to find the fine balance between a trusted advisor and an internal watchdog.
photo credit: Scrabble - Application via photopin