The General Data Protection Regulation (GDPR) mandates many businesses in Europe to engage the services of a Data Protection Officer (DPO). The legislation was adopted April 14, 2016 and went into effect on May 25, 2018. The United States is expected to adopt similar regulations, thereby formalizing the requirement to appoint a DPO for publicly held companies or entities that carry out certain processing activities with significant amounts of personal data.
The GDPR has established an early framework for U.S. organizations to understand the place in the organizational hierarchy, duties and competencies of a data protection officer.
What Is a DPO?
A data protection officer oversees data protection implementation and data privacy strategy in an organization. More than one person may hold the role. DPOs protect the public good and citizens living in the countries in which an organization collects data, as a DPO’s loyalty is to the public, not the organization.
In the European Union, a DPO acts as a liaison between the organization and government agencies overseeing data-related work. The GDPR mandates the DPO to perform his or her duties independently, and they may not be penalized or fired for performing those duties.
The creation of a DPO’s role is an attempt to reduce increasing abuses of data collection and the impacts on individual privacy. Organizations that fall under the EU requirements must formally appoint a DPO, adhering to strict qualification standards. Many organizations that are not required to have a DPO still have one to facilitate the highest levels of data protection and minimize legal liabilities. Qualified candidates must possess a broad range of experience and expertise, from technical to legal skills.
The GDPR lists several crucial areas of expertise for DPOs:
Risk/IT: Organizations need DPOs with significant experience in privacy and security risk assessment and best practice mitigation, including privacy certifications and information security certifications. Risk and IT skills involve IT programming, infrastructure and audits. Candidates must have a history of demonstrating awareness of threats and must be knowledgeable in the emerging technologies that can reduce risks to collected data.
Legal: DPOs must understand relevant data protection and privacy laws and keep up with evolving legislation. This is highly complex in the United States, as there are state and federal laws to consider. The DPO must be experienced in discovering potential legal gaps and facilitating gap mitigation and compliance. These topics can be delicate, as they require diplomacy and soft skills as well as legal expertise.
Leadership: A DPO must have significant managerial and/or executive experience to marshal resources. The DPO must have a broad industry background to understand the other roles within the organization appropriate for collaboration.
Communication: Not only must DPOs be able to communicate with top executives, but they must also speak to consumers, clients and the general public to handle requests and complaints about the organization’s handling of data.
Cultural Competency: Many companies handle personal data of people beyond their borders, so the DPO must be fluent with controllers and data processors in other cultures. The DPO must be flexible and have a global focus.
Place in the Organization
In smaller organizations, the responsibilities of a DPO may be part of an existing employee’s workload, but in midsize to large organizations, the role is typically a full-time position. A DPO in the EU reports directly to the C-suite executives and communicates with professionals at every organizational level regarding data-handling decisions. The DPO advises senior management on data matters while remaining free from the pressure of competing agendas. To maintain this impartiality, the position cannot be occupied by someone with contrary interests, such as legal counsel involved in litigation against the company.
The Arkansas State University Master of Science in Strategic Communications with an Emphasis in Technology Law and Policy online program prepares graduates for leadership roles including data privacy officer, data protection officer and director of intellectual policy. The curriculum includes courses like Privacy Law; Communication Regulation and Policy; Strategic Communication Management; EU and U.S. Data Protection Law; and Seminar in Information Technology Law. Completing the program equips graduates with the foundational knowledge they will need, typically in conjunction with management experience, to fulfill the obligations of the data protection officer.
The accelerated program can be completed in 10 months and, with tuition of just $9,510 total, provides a fast and affordable way for working professionals to reach their career goals.