Who’s Your DPO?

The time to start staffing up for the GDPR is now. Organisations have very little time to discuss, plan, and execute all of the business initiatives required to be in compliance. And, according to Article 37 of the GDPR, any public entity or other organisation that performs regular monitoring and processing of European Union (EU) data subjects on a large scale that can uniquely identify a “natural person” or involve criminal convictions and offences is required to designate a Data Protection Officer (DPO).

Ideally, an organisation should already have its DPO in place so that he or she can lead all subsequent GDPR-related efforts within the business. However, if your organisation has yet to designate a DPO, don’t throw it over the wall to your security and compliance team before you (and they) understand the nuances involved with this role, or you run the risk of bringing the wrong candidate on board.

What is a DPO?

The DPO is a critical leadership role that reports directly to the executive management of the organisation. In short, the role is responsible for ensuring that your organisation is in compliance with the GDPR by architecting and implementing your data protection strategy. The role straddles the lines between a security, compliance, and privacy officer. Staying true to the regulation’s vague nature, the GDPR does not specifically provide a job description or credential requirements for a DPO. However, the regulation does mention that a DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”

What are DPOs responsible for?

At a minimum, DPOs are responsible for the following  five tasks:

  • Inform and advise controllers, processors, and employees within the organization of their obligations under the GDPR
  • Monitor GDPR compliance activities, including assignment of duties, awareness training, and audits
  • Advise the organization on data protection impact assessments and monitor its performance
  • Cooperate with the GDPR supervisory authority
  • Act as the point of contact with the supervisory authority on all GDPR-related matters

And given the scope and size of the GDPR, the number of DPO responsibilities will no doubt grow exponentially over time.

DPOs also function as the point of contact for data pertaining to  the processing of personal information. Thus, DPOs are bound by secrecy and confidentiality concerning the performance of their job role.

What technology will DPOs rely on?

Unfortunately for DPOs, the GDPR is lacking when it comes to identifying specific technologies in compliance with the regulation, other than basic references to “encryption” and “psuedonymization.” This can lead to a fair bit of speculation regarding what technology is actually required when it comes to complying with GDPR.

However, given the data-centric nature of the GDPR, DPOs need to focus on the following three key technology areas:

  • Complete data visibility — The DPO must have visibility over the organization’s entire data attack surface. This goes beyond the traditional data protection capabilities of silo servers, desktops, and laptops. DPOs must have access to cloud-scale data protection capabilities that can provide a single control point for traditional data sources, as well as native support for mobile devices and cloud applications.
  • Data security everywhere — Data under the purview of the DPO must be encrypted everywhere: both in-flight and at rest. This requires that the organization’s data protection capabilities will support encryption capabilities like TLS 1.2 and AES-256 for data security wherever possible.
  • The ability to erase data — With complete data visibility comes the ability to erase or purge data (think “right to be forgotten”). While the erasure of data is new to many organisations, GDPR requires that DPOs be able to purge data subject information at their request. DPOs will need to utilize data protection capabilities that can granularly delete data while maintaining a complete audit trail of the process.

Ultimately, the GDPR has anointed the DPO as the official role within an organisation that will have executive standing and function as the single point of contact for all things related to data protection and processing of EU citizen data. While I could sit here and wax poetic about the DPO needing business-wide support to be successful, that would a bit disingenuous. Unlike CSOs and CPOs, who typically lack a regulatory hammer within their own organisations, I would be remiss not to remind everyone that the office of the DPO carries the full weight of defending the company from a €20M, or 4% of annual turnover, penalty for non-compliance. While many organisations may play the “wait and see” game with GDPR, the EU will no doubt make an example of the first few organisations that violate the GDPR policies and requirements. By selecting and engaging with a DPO as soon as possible, you can help your organisation avoid that scenario.

By Andrew Nielsen, Chief Trust Officer at Druva


GDPR Summit London is a dedicated event which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at http://www.gdprsummit.london/