Padlock over smartphone and EU flag inside mobile phone and EU map, symbolizing the EU General Data Protection Regulation or GDPR. Designed to harmonize data privacy laws across Europe.

 

The exponential growth and increased reliance on personal data presents inherent operational, reputational and regulatory challenges for any company. For those organizations subject to the General Data Protection Regulation (GDPR), however, the challenges are specific and menaced by the ever-present specter of heavy fines and regulator reprimands.

Perhaps the most surprising challenge that many companies face is complying with one of the GDPR's more straightforward requirements: appointing a Data Protection Officer (DPO). Article 37 requires some organizations to appoint a DPO to oversee and support the organization's data privacy compliance and serve as an external point of contact on all privacy-related issues. The DPO should have “expert knowledge of data protection law” and understand the types of technical, administrative and programmatic safeguards typically deployed to protect privacy rights.

A study by the International Association of Privacy Professionals (IAPP) found that once GDPR was enacted, up to 75,000 DPOs were needed worldwide. Yet, these qualified resources are hard to come by and can be expensive.

This requirement can place strain on any company, with particularly significant impact on small and mid-sized companies. Many companies—including small and mid-sized businesses—are required to appoint a DPO because they either process large volumes of personal data, offer products/services that systematically monitor data subjects or both. Yet many lack sophisticated risk management resources to staff a DPO role internally or are unwilling or unable to hire an external resource, which often results in the designation of placeholder DPOs to ostensibly check the box on the requirement. This misses the entire point of the obligation and may create more risk (and individual liability) in the process. It is critical that organizations prioritize the appropriate staffing of the DPO position.

To ensure that the role is fully resourced, organizations in the process of onboarding a DPO should evaluate the following considerations:

Internal v. External DPO: An internal DPO would already be part of the business, with a direct reporting line to management, who knows the business and its data flow. However, the role of DPO requires a range of skills that an individual already part of the organization may not have, and conflicts of interest may exist. An external DPO would be experienced and have the requisite skill set, knowing the market, however, would have less insight into company structures and processes.

Extensive Privacy Regulatory Experience: The worldwide talent pool will remain somewhat shallow as legal and compliance professionals work to ramp-up their expertise with data privacy law. Still, it is paramount that anyone entering the DPO role bring experience with designing and building data privacy solutions that meet regulatory requirements, not just for GDPR, but across jurisdictions in North America, EMEA and APAC.

Strong Technical Expertise: Experience with diverse data environments is critical. The DPO must have deep technical capabilities, to ensure that the organization's data programs meet 'privacy by design' requirements. This expertise will also ensure that the DPO is able to strategically apply technology where needed and partner with the IT department to oversee deployment of enterprise platforms and applications that impact data practices.

Ability to Prioritize Data Value: One of the DPO's first initiatives should be to conduct a risk assessment of how personal data is processed, stored and used. With that information, the DPO should develop a sustainable strategy for reducing that risk. This process should include prioritization of different types of data, so new programs and policies can help improve data value by making it more transparent and enabling more effective business decisions.

Cross-Functional Execution: The DPO should have the ability to reach across functions and work with stakeholders within a variety of departments in the organization. By working with the executive bench and cross-functional teams, the DPO can ensure that project plans address and take account of the range of business needs and challenges that exist in the ecosystem.

GDPR has provided a significant opportunity for corporations to strengthen their data privacy practices and improve their foundation for consumer trust. Appointing a DPO for small and mid-sized companies is not without its challenges and may seem daunting. Still, standing up an effective DPO is of critical importance and can serve as a vital piece of an organization's privacy control toolbox.

 

Louise Rains Gomez is a Managing Director in FTI Consulting's Technology segment. She brings more than 10 years of experience in litigation, e-discovery and information governance, with a focus on helping clients reduce costs and alleviate their broad data management challenges. Andrew Shaxted is a Senior Director in FTI Technology's Information Governance, Privacy and Security practice, and is based in Chicago. He is a licensed attorney, global data privacy and infosec consultant with a background in technology and global risk management program implementation.