The combination of the current IT skills shortage and the impending implementation of the General Data Protection Regulation (GDPR) has made the appointment of a Data Protection Officer (DPO) an urgent matter for businesses, says The Bunker. A recent study by the International Association of Privacy Professionals (IAPP) has found that 28,000 DPOs will be required in Europe to meet the requirements of the GDPR when it comes into force in May 2018. The GDPR prescribes the appointment of a DPO for any businesses that process personal or sensitive data or systematically monitor behaviour on a large scale – categories which include a wide variety of organisations in the wake of the changes wrought by big data and analytics.
The official purview of the DPO is to help ensure the security of an organisation’s data, and therefore protect it from the huge financial sanctions that can be imposed under the GDPR.
Chris Scott, DPO at The Bunker, comments on the elusive qualities that organisations should look for in a DPO: “The DPO has a complex role, demanding an unusual combination of experience and skills. With the current IT skills shortage already taking its toll, organisations need to start looking for these individuals now if they want to avoid the huge financial penalties imposed by the GDPR.
“The DPO’s primary duty is to develop an understanding of the GDPR in all its complexity, and to relate that back to their organisation to ensure compliance. The DPO will therefore need to be an expert in data protection, and will likely have had experience of rolling out compliant solutions such as PCI DSS or ISO frameworks. They will also need to have a forensic attention to detail, enabling them to carry out deep risk assessments in order to identify which areas of the business are most at risk of non-compliance or a data breach.
“There are also certain ‘softer’ skills which will be important for any successful DPO. The capacity to report to and influence key decision makers will be vital – the GDPR will have consequences for an organisation’s data policy that could have large operational and financial implications. Likewise, the DPO needs to have a certain amount of freedom and support to carry out their duties to their full extent. This requires strength of character, and an understanding of the gravity of their role.
“The GDPR is intended to update the security culture within businesses for the 21st century. To do so, it requires a vanguard of technically skilled and diplomatically savvy people. The IAPP estimates that 28,000 DPOs will be required by May 2018 – and there are already doubts as to whether there is a large enough base of people with the necessary skills to recruit from, due to the skills shortage. It is therefore advisable that organisations start looking for these rare individuals now to protect themselves from the large financial penalties of the GDPR,” he concluded.