No, this isn’t just another new C-suite position created to help companies deal with digital transformation. In fact, the C-suite is getting pretty full already! A Data Protection Officer (DPO) is a position required specifically for certain companies that need to adhere to the General Data Protection Regulation (GDPR), a law that originated in the European Union (EU) and goes into effect later this year. Before you jump ship on this article thinking it doesn’t apply to you, hold on. GDPR impacts any companies—in the EU or elsewhere—that do business in Europe or collect data from EU citizens. That means U.S. businesses that have clients or customers in the EU are also required to adhere to it—whether they have a physical presence in the EU or not.
So: Are you set to follow GDPR? And if so, do you need a DPO? The two questions aren’t mutually exclusive—and the guidelines themselves are not super clear. So, we’ve created some tips to help you figure it out.
Why a DPO for the GDPR?
I don’t want you to get lost in a sea of alphabet soup. If you’re still unclear how the GDPR could impact your company in general, check out this overview I recently put together on Converge.
In a nutshell, GDPR will go into effect this May, and requires companies to protect personal info gained through transactions in any EU states. This means even companies without an EU presence are still required to adhere to it. The most challenging part for companies is that GDPR defines personal/sensitive data incredibly broadly—including anything from an IP address to cookies to financial information. Technically, anything that could potentially help you identify someone’s religion, culture, ethnicity, sexual orientation, location, finances, etc., is part of the definition (i.e. even a podcast, playlist, or search history would be deemed sensitive). With those wide parameters—and limited clear definitions—employing a DPO voluntarily just makes good practical sense—even if your company is not required to have one.
Who is Required to have a DPO?
This is where things get murky. GDPR specifies that all public authorities(except courts) and all private companies that process large-scale amounts of sensitive data on a regular and systematic basis. We’ve already determined that ‘sensitive” could mean almost anything. Missing from the law? An exact qualifier on what “large-scale” processing means.
If you’re not sure if your company deals with “large amounts” of personal data, lean on the “regular and systematic” specification instead. In other words, if you have a shop on Etsy that has one-off EU customers, you don’t need to worry about GDPR, even though you’re technically collecting someone’s name, location, etc. However, Etsy itself would likely need a DPO, as it probably runs regular reports to gather data on its EU customer base, how they prefer to shop, which device they shop from, how much they’re willing to spend, etc. The same would apply to bodies like hospitals, financial institutions, insurance companies, etc. In short, think volume and permanence. If you’re regularly gathering processing large amounts of data to gain insights into your company, customer base, or patients over time, you should probably have a DPO. If you’re using it once and tossing it—you probably don’t.
What Does a DPO Do?
If it looks like hiring a DPO is right for you, here are a few things to consider:
- The DPO reports directly to the top; there will be no intermediaries between the DPO and the leader of your company.
- The DPO will operate independently. Yes, the position is created to ensure your company’s compliance in data protection. But the DPO is also responsible for reporting non-compliant companies to the Data Protection Authority. In other words, the DPO’s ultimate responsibility is to the data—not your company.
If you’re a smaller company and still think hiring a DPO would be smarter than risking data protection on your own, there are some stipulations that could help you. The DPO does not need to be employed solely with your company. For instance, you might set up a “ride-share” style of DPO employment, where you share a DPO with other smaller companies in your industry. Heck, DPO as-a-Service may even be the next big thing to hit the market.
Though it might feel a bit overwhelming, I believe the DPO position is an incredibly crucial one today. In fact, I’d say most U.S. companies should be seeking to emulate the EU’s protection of personal data, even if they don’t have any customers in the EU. With more and more data being processed every day, a data breach of some kind is imminent for almost every business. If you can’t commit to hiring a DPO right now, at the very least I encourage you to take an inventory of thr data you’re collecting, consider potential risks (including third-party risks), and know which borders your data is crossing (both vendors, and countries). Being informed is the best way to keep customer data safe.