Tech Memo: Rise of the DPO
GDPR ushers in the data protection officer. Here’s why that role is becoming necessary for many organizations.
By Tim Ebner With the European Union’s General Data Protection Regulation now firmly in place, the role of the data protection officer has come into sharp focus, causing many organizations, including some associations, to hire or appoint a DPO, says Sam Pfeifle, content director at the International Association of Privacy Professionals (IAPP).
If you don’t have a DPO on staff or under contract as a consultant, it may not be cause for concern, depending on how much data you process and where the data subjects are located. But if you’re a large association with many European Union members, it’s a must-hire position.
Under GDPR, the requirement to hire or appoint a DPO is established in Article 37 and applies to any organization whose “core activities” involve “regular and systematic monitoring of data subjects on a large scale.”
IAPP has more than 42,000 members, approximately 12,000 of them in Europe. That caused the association to err on the side of caution when considering whether to bring a DPO on board.
“We have many European records, and we are constantly updating them in our customer management system,” Pfeifle says. “We also systematically profile on a relatively large scale, so we think the [DPO] appointment was mandatory.”
Many IAPP members have also followed suit, appointing or hiring a DPO in the months leading up to GDPR’s effective date last May, Pfeifle says.
“GDPR was a wake-up call,” he says. “I would say that, for many organizations, the decision to have a DPO happened recently.”
Even if you don’t think you need a DPO now—perhaps you have few or no members in Europe—the role is likely to become increasingly critical as U.S. privacy laws change and consumers become more accustomed to controlling their personal data.
“Almost every jurisdiction is bringing in new laws or considering them,” Pfeifle says. “In the not-so-distant future, you’ll likely need someone to make sure you’re acting appropriately.” The DPO’s role is to “act as the voice of the data subject—the consumer.” Typically, he or she reports directly to the highest levels of the organization and communicates with external authorities.
Associations should think long and hard about who they might appoint to this position, Pfeifle says. Conflicts of interest could arise if the job is given to a senior-level leader already on staff, like a chief technology officer or in-house general counsel.
“Look for the person who can act independently from organizational interest. They should also serve as the expert on privacy law,” he says. “You may be able to train up someone from your compliance or IT staff, or you may need to tap an outside expert to serve in this role.”