Protect and Serve
With minimal fanfare—but great impact—GDPR took effect last May, 2019.
There is a new officer in town, an electronic privacy officer who stands guard against the misuse and abuse of electronic personal data that originates in the European Union (EU), or is owned by an EU citizen, anywhere in the world.
This is the Data Protection Officer (DPO), a new GDPR-mandated officer who epitomizes person-centered electronic privacy rights. More to the point, the DPO manages those, “Core activities… that are ‘inextricable’ to the company’s primary functions.”1 The EU’s GDPR revolutionizes how both public and private businesses, and other organizations, manage personally identifiable information (PII) in the course of business operations. Under the new regulations, all businesses headquartered and run inside the EU must have a designated DPO. As the new officer in town, the DPO ensures organizations and businesses that utilize PII do so from a person-centered privacy perspective. Certainly, this adds compliance costs, which private companies deplore and resist.
While this is straightforward within the EU’s member states, confusion can arise when trying to determine under what circumstances non-EU businesses and organizations must have a DPO. To begin, it is not the size or the number of company employees that determines the need for a DPO. It is the volume of PII they handle. Typically, a small business outside the EU will not need a DPO unless it processes PII as a core activity and its volumes are substantial.
At its core, the DPO is a compliance officer who should differentiate between core business functions and those that are supportive of the business functions. Businesses operate according to strict functional requirements, in part because of records management requirements––which the DPO ensures the company functions according to Privacy by Design and by default. Stated differently, the DPO ensures the company complies with person-centered electronic privacy mandates. Much like a records manager, the DPO needs “significant experience in both IT and risk management.” To be successful, the DPO must work to ensure that the company has a culture of compliance.
Additionally, DPOs must have “knowledge of how GDPR regulations and all applicable national data protection law apply to the organization’s data processing practices; significant experience with IT security audits and threat assessment; and strong communication skills across a variety of organizational positions and departments.” DPOs must be independent and autonomous, have emotional intelligence, and be answerable only to the highest executive-level management structure. This is a crucial aspect of accountability and the audit process that has the potential to identify hidden violations that could lead to substantial fines. The DPO is also the primary communicator between IT and the executive level, as well as the chief responder to breaches and other public reflections of cybercrime.
If any of this sounds familiar, it should. EU lawmakers who debated and composed the landmark GDPR likely did so with records managers and frameworks like the Generally Accepted Recordkeeping Principles® (Accountability, Transparency, Integrity, Protection, Compliance, Availability, Retention, and Disposition) in mind. This has substantial ramifications for modern businesses that have embraced an IG strategy. In today’s regulatory environment, RIM professionals might just be tailor-made to take on the mantle of a DPO—as they have many of the same professional requirements.