Why do I need a Data Protection Officer?
While the desire to protect company, customer, and vendor information isn’t new, there are new laws that are requiring organizations to take a more active role in protecting their data. The EU recently passed the General Data Protection Regulation that requires certain businesses to have a Data Protection Officer. In order to comply with the rule, it has been estimated that nearly 28,000 DPOs will be needed by the end of 2018.
Specifically, the General Data Protection Regulation requires companies that process data with a public authority or that regularly monitor data subjects on a large scale to have a DPO and a plan in place to protect that data. It’s important to note that the rule not only effects companies that are biased in the EU, but also those that conduct business with its partner countries.
Because of the non-specific wording of the GDPR, one of the first steps that any company operating within the EU will need to take is to determine whether or not they are subject to the regulations in the law. It may be necessary to hire a security consultant on a short-term basis to determine this. Fortunately, CyberSecOp has plenty of experience in helping companies comply with EU law and IT security background that this position would require.
What is a Data Protection Officer?
In order to comply with the new regulation, a Data Protection Officer must have, “expert knowledge of data protection law and practices”. Additionally, the DPO must have a good understanding of the organizations' technical structure, organization, IT infrastructure, and technology.
It’s important to note that as long as an employee is capable of performing the basic functions of the role, there is no formal training requirement. This means that the job can be assigned to an existing employee. It is also permissible for an organization to hire an outside consultant or security firm to take on this role.
How will this affect my company?
Due to the massive penalties involved with ignoring the new GDPR, any company that meets the criteria and operates in at least some capacity in the EU will need to appoint a Data Protection Officer. For larger companies, this role is most likely already filled by a data security team. Small companies will most likely find it to be the most cost-effective to hire an outside company to handle its data security issues.
Mid-size companies, however, will likely struggle to come into compliance with this rule. Keeping a full-time Data Protection Officer on staff might prove to be cost prohibitive, but it’s also possible that contracting with an outside firm may also run up costs beyond a sustainable level. In many cases, the solution might be to find a professional with multiple skill sets who could act as the company’s Data Protection Officer while also performing other duties. CyberSecop have a team of security professionals dedicated to helping an organization in comping with GDPR and other data security frameworks.