Privacy Perspectives | With mandatory DPOs looming, answering business FAQs: Part one Related reading: Healthcare privacy plans need to account for medical device security

rss_feed
PrivacyTraining_ad300x250.Promo1-01
OneTrust_Square Banner_300x250_DD_ROS_01_19
PrivacyCore_ad_300x250-01

You all know the deadline by now. The EU’s General Data Protection Regulation will apply from 25 May 2018. This means that organizations must have implemented all the requirements it imposes by that date. Your to-do list is long, the deadline is tight, and team capabilities are limited.

The appointment of privacy officers is also part of the to-do list, if your processing falls under the criteria. According to the latest IAPP study based on conservative assumptions, we will need at least 24,000 DPOs to meet the private-sector needs, in addition to 4,000 in the public-sector. This means, in the coming months, hundreds of companies will be rushing to the same employment market to find their perfect DPOs. In our DPO recruitment practice, we already observe a movement in the DPO employment market due to the GDPR, and this movement will take the shape of a “war for talent” as the deadline gets closer.

Many companies have no experience working with professionals whose sole responsibility is privacy. Exceptions are big multinationals or companies operating in a European country where it is mandatory – i.e. Germany – or advantageous to have a DPO – e.g. France, Sweden. There is no uniformity across Europe with respect to a DPO’s tasks or profile as can be seen in a 2012 CEDPO paper.

This time it is different.

The GDPR does not only bring an obligation to appoint DPOs, but it also tells us about the main tasks, the job-holder profile, the reporting line, and the modus operandi of this professional.

To shed more light on this issue, we selected some of the practical questions we hear from businesses on a daily basis. Until further clarification is available from the Article 29 Working Party or from the DPAs, we would like to share some food for thought which may inspire your work (and may also give you some comfort that you are not alone!).

Here we go.

When shall we appoint our DPO?

Since the GDPR will apply at the end of May 2018, you won’t be penalized for the lack of a DPO until then. However, appointing a DPO earlier can bring some benefits.

First, you will have an extra pair of hands to help with the GDPR preparations. Second, you will not have left your DPO search until the last moment when the talent hunt is in full gear! Also take note of recruitment lead times: “Time-to-approve” is your internal headcount approval process; “time-to-recruit” is needed to reach out to the potential candidates and the whole recruitment process; and “time-to-start” is the period between an offer acceptance and the actual start date.

European countries have strict labour laws and long notice periods. It is not unusual to wait for a good candidate for two to three months as of the offer signature. So, act timely!

The CPO and the DPO – is it the same thing?

There are some similarities but yet there are differences.

The chief privacy officer is the C-level executive in an organization in charge of the strategic management of a corporate privacy program – defining the organization’s privacy vision, developing a strategy and selecting the right governance model, developing and implementing a framework suitable for the entire organization, and finally the performance management of this compliance program.

The European DPO role as described in the GDPR seems to be more operational than this.

They can co-exist within the same global privacy office, which is led by the CPO and composed of a core team of specialists and a bigger team of generalists spread across the organization. Specialists develop policies, procedures, and tools applicable across the whole organization, while generalists – regional privacy managers, local DPOs – act as trusted advisors to their business lines ensuring that the field practices are compliant to corporate standards and the applicable laws, including and foremost with the GDPR.

What is the job holder profile here?

In any recruitment process, the ideal candidate requirements are a combination of hard and soft skills. Hard skills may include domain knowledge, work experience or languages, while soft skills could include leadership, communication, and negotiation. Together these skill sets form the set of qualities to perform the job. It is no different for the DPO role. The GDPR does not list all the qualities but gives a few examples, such as the type of knowledge and the ability to perform the tasks. 

What type of knowledge?

Our DPO must be knowledgeable about data protection law. In our view, this cannot be limited to the GDPR as there are other privacy-related EU regulations and Member State laws where there is an interaction with the GDPR – telecom laws and employment laws, for example. This view is strengthened by one of the DPO tasks, which is “to monitor compliance with the Regulation and other regional/local privacy provisions…”

Knowing laws, though, is not enough.

Our DPO also needs to know about the operational aspects. These can include privacy practices such as impact assessments, handling data subject’s requests, employee monitoring, vendor contracts, and breach management. 

What “level” of knowledge should we expect from our DPO? 

The Regulation asks us to seek “expert” knowledge. However, looking at the Recitals, we understand that it is up to us to define the level of expertise in relation to our type of processing and the level of protection it requires. This would mean that companies which face greater risks – because they are data-driven or they process sensitive data or they rely heavily on outsourcing, for example – must look for someone who has a high level of expert knowledge in law and practices.

On the other hand, if the processing is limited in type, scale or geography, then it could be fine to recruit someone who has a lower level of expert knowledge. The use of word “expert” here is very confusing as it – by default – refers to somebody who is very knowledgeable. Plus, it sounds weird to say “little-level expert knowledge.” But you’ve got the point: You need to decide on the level of expertise you need from a DPO.

Another listed quality here is the “ability to fulfill the tasks.” Which skills can enable a person to fulfil all the listed tasks?

Obviously, one’s domain knowledge and previous experience would definitely enhance this ability. However, there are other qualities that are equally important to perform the job well. We are looking for a professional with superb interpersonal skills at all levels of the organization; an approachable person who enjoys sharing knowledge but at the same time knows when to make his or her point clear; someone who is able to work in a structured way under minimum supervision; someone who is good in risk-assessment, has strong PR skills, with a good command of languages – as the DPO is expected to be in direct communication with data subjects and the DPAs – and finally someone tactful enough to find the fine balance between a trusted advisor and an internal watchdog.

photo credit: Scrabble - Application via photopin (license)

Editor's Note:

This is the first in a two-part series of Perspectives posts on the hiring of data protection officers in the EU. Stay tuned for the second installment in which Gonca Dhont answers many more questions about DPOs, including where they reside within an organization, and much more.  

11 Comments

If you want to comment on this post, you need to login.

  • comment Julie Glover • Jun 8, 2016
    Thank you, Gonca!  This is a very useful and practical analysis.
  • comment chris Jangelov • Jun 9, 2016
    Just one question. You talk about "an additional one-year grace period after the 2018 deadline". I have not been able to find any sorce for this. Would you please explain what this grace period comprises and point me to a source?
    Looking forward to part two.
    Thanks!
  • comment Sam • Jun 9, 2016
    Hi Chris - this was an editorial miscue on my part. In the Council compromise draft, the one-year grace period was included and I mistakenly thought it made it through to final draft when editing this piece. I have changed the piece and apologize for the misinformation.
  • comment chris Jangelov • Jun 9, 2016
    Thanks. Glad we found it! My mind is at ease :-)
  • comment Daniel Pradelles • Jun 15, 2016
    Good article but seems to me that there is one point forgotten here... in the GDPR there is no mention of CPO, only DPO and unfortunately it is currently compared (too much ?) to the specific implementatoin done in the country having the largest base of DPO :-).
    Then we may say that de facto what the regulation refers to is to a certain extent a "C-DPO" without clearly addressing the "C".
    My personal view is that the acronym "DPO" should refer to a "Data Privacy Organization" and not specifically "one Officer" and indeed such organization must ne managed by a senior directeur or higher having the title of "C-DPO" and a team of collaborators handling the "operational" aspects of the role. The size of the DP organization, the profile of the members should be left to the company as it will highly depend on the size, business sector, structure, history, managing culture, overall culture of the specific company.
    
    But the starting point for the C-DPO is to be positionned at a highest level with appropriate resources to have a strategic role and a "driving"  influence on the company Personal (or not personal ?) Data Governance. The adequate balance between the operation side, the strategic side and resources should be defined by the company, it could be one person for small & medium enterprise but for this person  to be "strategic" is a fundamental which cannot be left aside.
    This more accurate definition of the acronym "DPO" should be done as quickly as possible before the enforcement date in order , for public and private organization, to build, train, grow the efficient "CDPO" they need.
  • comment Robert McWilliams • Jun 15, 2016
    Thank you for these useful FAQs, Gonca. Obviously, for the great majority of organizations covered by the GDPR, the logical location for their DPO is Europe. But do you think some organizations (those without a significant presence in Europe, but processing Europeans' personal data) may choose to locate their DPO in their HQ country? I am thinking particularly of the US.
  • comment Andrew Sanderson • Jun 16, 2016
    @robert mcwilliams: as I understand it, GDPR applies to processing of personal data by any "controller or processor not established in the EU" that "offers goods or services  ... to data subjects in the EU" [article 3, 2(a)];
    and Article 27 'representatives of controllers or processors not in the EU' adds:
    (1) where article 3(2) applies, the controller or processor shall designate in writing a representative in the EU.
    Representative is defined in 4(17) as 'represents the controller or processor with regard to their respective obligations under this Regulation'.
    Part of the DPO role is acting as local contact for data subjects [38, (4)]; another part is 'cooperate with the supervisory authority' [Article 39, 1(d)] so presence in the local timezone may be an issue.
    It doesn't explicitly join up, but it looks like the DPO should be EU-based.
  • comment Robert McWilliams • Jun 16, 2016
    Thank you, Andrew Sanderson. Clearly the "representative" must be in the EU. If the DPO is a different individual, I guess their location (non-EU HQ country v EU) would offer different advantages for different aspects of the role; the EU being better for the externally facing aspects, and the HQ country more efficient for internally facing tasks (training, monitoring, etc). I am thinking mainly about businesses without a significant EU office, and there may not be many of them that fall under the mandatory DPO requirement.
  • comment Gonca Dhont • Jun 16, 2016
    Robert – this is a good question, one we hear many times from businesses with/without physical presence here in Europe.  I have covered this point in the second part of this series, so stay tuned!  But let me briefly share what I think. Even if the job candidate perfectly matches the required knowledge, experience and skill set, yet I see 2 issues here: 1) acceptance/integration of a remote DPO within the European organization (it would be different if we were speaking of a remote HR, Marketing or Finance pro; a DPO is a brand new function for many companies ) 2) as Andrew said - direct interaction with the data subjects and the local authorities will be required which may have to go beyond e-mail / phone communication for the latter.
  • comment Robert McWilliams • Jun 17, 2016
    Thank you, Gonca, and for part two also. This has been a very useful discussion.
  • comment Stuart Ritchie • Jun 19, 2016
    @Daniel: interesting points. I'll confine myself to your comments on merging CPO and DPO. I have to say when I first looked at this last year my instinctive response was similar. However, after inquiring into model law and jurisprudence (notably Germany from a lay perspective), re-reading the Recitals, and comparing against the regulation of individuals in some industry sectors, I arrived at the view that such a merger would simply paint a big "sue-me" sign on the enterprise. 
    
    If we think of the DPO as a statutory office (which, after all, it is), we'll have the right mind-set (noting that the required standards of independence, competence, and qualifications often may be far higher than that for a company officer, along with the incurred risks).