The arrival of the General Data Protection Regulation (GDPR) has only accelerated the adoption of a new role that already had momentum: The Data Protection Officer.
Whether its compliance or just common sense, protecting information in today’s highly digital, data-intensive world is no longer an option for companies.
Unlike a Chief Compliance Officer — who ensures that a company operates within the laws, regulatory requirements, policies and procedures of a particular industry and country across a wide range of areas — the Data Protection Officer (DPO) focuses on one thing: Protecting data.
According to Wikipedia, the Data Protection Officer is defined as the person that “ensures, in an independent manner, that an organization applies the laws protecting individuals’ personal data.” In accordance with the GDPR, the DPO shall directly report to the highest management level.
We’ll leave “Chief” out of the title for now, but the data protection officer role is increasingly taking up a new seat in Executive boardrooms around the world. In fact, PwC predicts that GDPR alone will require 28,000 new DPOs in Europe and the US, and as many as 75,000 worldwide.
As requirements for data privacy and protection only increase, there’s no better time to evaluate the need for a data protection officer at your company. A recent PwC post offers 10 key considerations on the why, where and how organizations can benefit from the role. Here are the top three for your consideration:
- Why Hire a DPO — GDPR has made the role a requirement for some companies under certain circumstances, including if the organization is a public authority, engages in monitoring of people, or processes large amounts of sensitive personal information. The fact is, whether GDPR compliance is a requirement or not, PwC’s key takeaway on this question is as follows: “If companies face moderate or elevated regulatory, litigation, or contractual risk vis-à-vis the GDPR and Europe is an important source of future revenues, they should seriously consider appointing a DPO.”
- Where to Hire a DPO — Not surprisingly, placing a DPO in an EU member state where the company’s “main establishment” exists is the best recipe for success when it comes to GDPR, according to PwC. This enables better relationships with regulators due to better proximity, local knowledge, and the use of local language. While some American companies are placing the role in their US-based headquarters office, taking a broader view than just GDPR compliance, the general guidance from PwC is to place the role where your centralized data processing operations take place.
- Where to Sit in the Organization — Data protection has traditionally been tasked to the Legal Department in Europe, according to PwC, and in other parts of the company depending on where you operate. The advice: If the DPO is in the Legal Department, make sure that they have independence and the freedom to be effective. In turn — since data protection is about more than cyber-security — if the DPO is placed in IT, auditing, or some other function, make sure they have the appropriate level of legal knowledge.
Learn other key considerations for the DPO role and how to make the best decision for your company by reading the complete PwC post here.
In the end, leading companies are protecting data not just for reasons like security, compliance and competitive forces, but because it’s just good business.
And success is not simply left to one individual and a role like the data protection officer. No matter where you sit in the C-Suite or in leadership at your company, protecting customer and company data is the job of everyone today.