A bit like western children on Christmas eve, excitingly waiting to catch a glimpse of Santa, organizations concerned by the new EC GDPR regulation – any organization offering good or services, or processing the data of EU subjects - are waiting, in excitement to see him/her: the Chief Data Officer (DPO)!
Introduced in the Article 37 of the regulation, all public authorities, or organizations that engage in large scale systematic monitoring or processing of personal data, should have one by May 2018- when the regulation will actually be enforced. Given that the regulation defines personal data as any information related to a natural person that can be used directly or indirectly to identify a person – a photo, an email, a name, an IP address, pretty much any organization offering customer service is now concerned. Interestingly enough, the Parliament and the Commission do not quite agree on the exact metric: for the Commission, any organization with over 250 employees is concerned, while the Parliament calls for those processing the data of over 5000 data subjects in 12 month period.
Will he/she come bearing gifts?
The tasks of the controller will be to inform and advise, and to monitor compliance (Article 39). Acting like a vigilant ally, the new Santa is charged with guiding organizations through the labyrinth of data protection, monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits…He/she should also be available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, or more.
Can the sleigh pull it all?
To a certain extent his/her role, as well as the one of the new regulation, is to make it easier for organizations by creating a “one stop shop for data privacy”. Data Protection Authorities’ registration is sought to be centralized, and the DPO would be their main contact point, shortening and clarifying processes. Yet, the topic remains controversial and still needs to be hammered out between the different instances of the EU.
Harmonizing data protection laws across Europe and ensuring the rights of data subjects are secured and available is no simple task, and while the legislation does not yet define an all-inclusive framework, it fails to fully empower the DPOs.
Ultimately, it will depend on every organization to appoint its DPO and define the ways to protect its consumers data in the most efficient and simple manner.
At the end of the day, the activities of the DPO will be more about navigating the laws and regulations than about thinking of new processes to enforce such laws across the organization. More than the new Santa, could it be that the DPO is just a super lawyer?
A hybrid creature
The text of the law is clear, the DPO should have: “expert knowledge of data protection law and practices.” (Article 37). Yet, the heart of the privacy matters is more often found somewhere between a pile of cable and connectors, with the IT department, where the actual data is captured, processed, and stored, and where the policies on how to do so are really discussed and implemented.
It seems that, to have a real practical impact, the DPO should be a more hybrid creature: half lawyer, half IT professional, able to provide advice like a legal expert and reason like an engineer.
Could it be easier to witness a Christmas miracle than to recruit someone with such credentials?
The one thing for sure, the new DPO is here to stay, as the text of the law prevents his/her dismissal on performance grounds and places no limitation on the length of this tenure.
NICE’s recording solution offers an end to end compliance package, certified by Trustwave for PCI DSS and HIPPA: including encryption, real time pause and resume, it provides flexible archiving and retention to its users, enabling to store and access data with dedicated tools – including google like search, across all of the channels they use.
Overall, the magic is in the eyes of the believer. It belongs to each organization to use the knowledge and capabilities of its newly appointed DPO to perform to the highest standards of data protection. A challenge and an adventure that require commitment well beyond Christmas Day.