Posted by David Znidarsic on Thursday, February 22nd, 2018
The General Data Protection Regulation (GDPR) will be enforced starting on May 25, 2018. One of the requirements of the GDPR is that many companies who handle personal data of EU citizens will need to appoint either an employee or contractor to be their Data Protection Officer.
This role is sometimes mistitled as Data Privacy Officer. The authors of the GDPR consciously call it a data protection regulation and call its champion a data protection officer to emphasize that confidentiality and integrity of personal data are just as important to data privacy as receiving consent to collect that personal data in the first place.
Therefore, coming into the role, the Data Protection Officer (DPO) must have expert knowledge of data protection law and the practices necessary to protect data, because they will be involved with all issues related to protection of personal data. Since often personal data is not (or cannot feasibly be) isolated from non-personal data, the DPO will be involved in the protection of all data in systems that have any personal data.
The DPO must effectively interact with people, because they will be publicly identified as the primary data protection contact for management, employees, suppliers, partners, customers, and the people identified by the personally identifiable information (PII) processed by the company (aka data subjects).
The DPO has responsibility to inform employees of data protection regulations, and monitor the company’s compliance with these regulations and internal data protection policies.
Most importantly, a DPO is key advisor to the company regarding the Data Protection Impact Assessments that are mandated by the GDPR. These assessments evaluate the origin, nature, and severity of risks to personal data, and then recommend the measures, safeguards, and mechanisms for mitigating those risks.
In return, the GDPR requires that a company owes the following protections to their Data Protection Officer:
So, if you want the responsibility of playing defense for a company, then a Data Protection Officer role is for you.
David Znidarsic is the founder and president of Stairstep Consulting, where he provides intellectual property consultation services ranging from IP forensics, M&A diligence, information security management, open source usage management, and license management. Learn more about David and Stairstep Consulting at www.stairstepconsulting.com.
This post was originally published on September 28, 2017.
Get the latest AppSec news and trends sent directly to you.