The DPO: Not Just for GDPR Anymore
The DPO: Not Just for GDPR Anymore
Learn more about the latest data privacy restrictions.
Join the DZone community and get the full member experience.Join For Free
They’re the “hottest tech ticket in town,” according to Reuters. Now, with GDPR — after two years of scrambling (and yes, some denial) within affected organizations, it finally went into effect in May — data protection officers are now officially part of the C-Suite.
After years of the DPO already being the norm in countries like Germany, France, and Sweden, Article 37 of GDPR specifically calls on all organizations involved in the handling of EU resident data to appoint a data protection officer, who shall among other things train and empower organizations and relevant employees on GDPR requirements, monitor for compliance, and conduct audits.
While it may be somewhat surprising to hear that some companies are already putting the finishing touches on their Article 37 compliance, many organizations are still questioning whether they need a DPO at all. Note to any company that deals in the personal data of people regardless of where they reside: you probably do.
Recently, Google CEO Sundar Pichai was questioned by lawmakers about the company’s policies and processes pertaining to data collection and management. All of this was revealed in a hearing that addressed the growing skepticism surrounding the desire or ability of tech companies like Google and Facebook to safeguard consumer data. After years of high profile data breaches and growing consumer resistance to the data tracking practices of digital advertisers and businesses (more than 615M devices are now blocking ads, according to last year’s PageFair Adblock Report), 2018 saw a watershed moment with the Facebook/Cambridge Analytica scandal.
It seems public trust may have finally reached its breaking point: according to a recent survey by identity management provider Janrain, 57 percent of Americans say that the Cambridge Analytica breach made them even more concerned about data privacy. And now, according to the same survey, 69 percent reported wanting to see GDPR-like privacy laws enacted here in the US.
They may get their wish. One month after GDPR went live, seemingly out of nowhere California passed its own consumer privacy act, which, by 2020, will give California-based consumers similar data protections that EU-based individuals now enjoy. These include the right to know what data is being collected and how it’s being used, the right to refuse the sale of such data, and the right to delete such data. The law, based on an opt-out consent model as opposed to GDPR’s opt-in requirement, will impact any business, large and small, that collects data on California-based customers.
It's clear that businesses need to start thinking about preparing for the dawning of a new age that’s giving consumers greater control over their personal data. The data protections enjoyed in California and the EU are bound to eventually catch fire among other states and countries. Data-driven, consumer-facing organizations must either adapt to a business landscape that will be increasingly be fueled by consent or face being left behind. Consent, it appears, is the new currency.
The good news is the writing was on the wall and many businesses are already preparing for the changing data landscape. The International Association of Privacy Professionals (IAPP) estimates as many as 75,000 DPOs will be needed around the globe — or about 9,000 in the US alone — to manage the handling of the personal data of people located in the EU. But while some have warned about the probability of a talent gap, most organizations according to the IAPP, will be hiring from within.
That person will have to be up to the formidable challenge of not just rendering the organization compliant but changing company culture. As one data privacy and compliance professional writes, it’s a “dramatic rethink” that requires a deeply committed adherence to Privacy by Design and Privacy by Default. These are the principals first introduced in Article 25 that aim to protect personal data by requiring organizations to bake appropriate measures into the total lifecycle of their products, services, and processes to ensure GDPR compliance.)
Getting everyone on board requires not just a complete understanding of all the ins and outs of GDPR, but all the inner workings of the company as well. Therefore, the DPO must be incredibly communicative and effective in persuading workers to truly take data privacy to heart. But more than anything, the DPO must have unwavering resolve. While the people in this position have already been in the spotlight, as public scrutiny grows, that light will only get hotter.
Published at DZone with permission of Alex Gorelik . See the original article here.
Opinions expressed by DZone contributors are their own.