GDPR confusion: IT puzzled over data protection officer role

GDPR's May start date nears: Do you understand the rules around having a data protection officer - and how that person can and can't interact with IT?
684 readers like this.
CIO Pieces of the Puzzle

Among the myriad tasks organizations must tackle as the May 25 start date of the EU’s General Data Protection Regulation (GDPR) nears, the appointment of the Data Protection Officer (DPO) – a role more or less dreamed up by the GDPR’s authors – is one of the more confounding changes for many IT teams.

Reminder: The GDPR affects many organizations globally, not just in the EU. According to the informational site: “The GDPR not only applies to organisations located within the EU, but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” 

[ See our related article, How to avoid a GDPR compliance audit: Best practices. ]

While the GDPR provides a somewhat vague definition of what the DPO role embodies, it’s not specific on the precise credentials a DPO is expected to have. That’s not to say this role is completely alien, as most data-centric or public-serving bodies have employed some variation of the DPO in the past – often as part of compliance to local legislation, ie. Germany’s strict data protection rules.

The GDPR does outline a couple broad qualifications for the DPO, however, including:

  • Proven expertise: Candidates must thoroughly understand how to build, implement and manage successful data protection programs. This isn’t a role that should go to a novice or individual with a light resume, as this is a highly specialized post that marries some of the most challenging aspects of data processing and data control.
  • Encyclopedic understanding of the law: Along with being able to quickly reference the finer details of the GDPR, this individual must also have a strong understanding of all related legislation, as well as the organization’s internal structure for data collection and protection.

The real ambiguities and nuances with the role come down to how the DPO will work within and alongside the existing IT structure, and how much freedom this individual will have from the rest of the organization. Some of the most frequently asked questions about the new position include:

How will the DPO work with the CIO and IT team?

The GDPR mandates that the DPO operates parallel to the larger IT operation, while remaining independent and without instruction from their employer over the way they carry out tasks.

This may seem intrusive: After all, where’s the logic in putting an employee on the payroll who ultimate reports to an outside authority? In practice, however, these roles can save organizations a great deal by helping companies avoid business-debilitating fines for noncompliance.

The employer can’t instruct the DPO on “what result should be achieved, how to investigate a complaint or whether to consult the regulatory authority,” according to the GDPR, nor should the CIO or other IT leadership attempt to influence how data is interpreted.

This DPO will therefore inevitably conflict with the larger duties of the CIO and IT teams in some areas, but neither the CIO nor the head of IT has the authority to penalize the DPO for performing their duties. The regulation mandates that the only individual a DPO answers to within the organization is the person at “highest management level,” with the European Commission holding ultimate authority.

What does that mean for IT leaders?

This has numerous implications for IT leaders, since the DPO essentially holds this part of the business to task in making sure the larger organization doesn’t get hit with noncompliance fines. The DPO isn’t held individually liable for non-compliance by the organization, as the GDPR states that a business is free to ignore the guidance of the DPO, but they will be required to explain their reasoning – in writing – to the appropriate regulators.

Organizations are, however, allowed to assign additional tasks to the DPO outside of what’s required by the GDPR if the DPO is employed internally. This could put some unrelated, non-regulatory activities under the supervision of CIOs and IT leaders.

On the flip side, the GDPR does allow companies to employ an “external DPO” under a service contract from a third-party vendor. In either case, an organization will still be forced to provide the necessary resources and access to collected data to fulfil the required job functions – which may make some IT teams wary to outsource these efforts.

The GDPR has a lot of ambiguities by design, as many of the rules – including the appointment of a DPO – fall on organizations of all sizes and mission, requiring tailored approaches to implementation. The new rules simply give businesses guidelines to help prepare for an even more data-centric, global business environment in the future.

IT leaders should do all they can to get their unique relationship with the DPO off on the right foot by being good listeners. The best DPO candidates have a lot to teach CIOs and IT teams, so long as they are willing to learn and accept the guidance. By empowering the DPO on day one to share their expertise, rather than bogging them down in “how it’s done” rhetoric, you should set a collaborative tone from the get-go, and help assure long-term compliance.

Want more wisdom like this, IT leaders? Sign up for our weekly email newsletter. 

Paul Martini is the CEO, co-founder and chief architect of iboss, where he pioneered the award-winning iboss Distributed Gateway Platform. Prior to founding iboss, Paul developed a wide-variety of complex security and technology solutions for clients such as Phogenix, the U.S. Navy and Hewlett Packard.