Friday, March 9, 2012
Data Protection Officers, required by law in Europe
Europe has long led the world in creating privacy rules. Soon, Europe will likely make it a requirement for all companies with over 250 employees to appoint a Data Protection Officer (DPO). Here are a few practical thoughts about DPOs in the modern corporation.
1) We need to train up more DPOs. The universe of privacy professionals is still quite small, today. There simply aren't enough experienced DPOs to fill the imminent legal requirements. Soon, many thousands of companies operating in Europe will be looking to appoint DPOs to meet legal obligations, and since there is no available pool of such people, companies need to start thinking now about how to recruit, train and resource a DPO, and/or an entire DPO team, for the large companies.
2) Companies should decide if their data processing is simple or complicated, and staff their DPO accordingly. Depending on what kind of company you are, you could legitimately take three different approaches:
1) DPO role is added to existing function: Some companies may have data processing operations that are quite simple and unproblematic. For them, it may make perfect sense to ask someone in the Human Resources or Marketing departments to train up and play this role too.
2) DPO role is out-sourced. Some companies may decide to outsource the role to DPO-consultants who might provide similar services for many clients. Note to entrepreneurial privacy professionals: creating such shared-DPO-consultant services is likely to be a booming business opportunity in the future. Realistically, I think DPO-out-sourcing is only really an option for companies with simple data processing operations, but there are still legions of those.
3) DPO heavy-weights needed. Some companies have complicated and sensitive data processing operations. They will want their DPOs to be strategic data-stewards, guiding their companies to use and protect data in responsible ways, navigating through the thickets of regulatory rules, and representing them before regulatory bodies and courts. I think large and complicated companies should be expected to have senior and experienced DPOs, or in the cases of big companies, indeed, teams of them. But today, rather shockingly, some of the world's largest data processing companies, with mega-databases of trillions of pieces of personal data, do not have a single heavy-weight DPO on staff.
3) Companies need to give their DPOs adequate resources and authority. It's pretty obvious to me, as a long-time insider, that privacy will be well-served by a growing profession of DPOs in companies. To succeed, DPOs will need two things, which are essential to getting things done in large organizations: namely, resources and authority. It takes significant resources to monitor/advise/document the data processing operations of a large corporation (as will likely be required under the new EU laws) and it takes people with real authority to implement the goals of the role of the DPO, as the laws envision it. As for authority, I don't think authority always flows from corporate reporting lines (let's get over this simplistic thinking that every DPO should report to the CEO). I believe authority is derived from substantive knowledge of privacy law and business goals, judgment, persuasiveness, credibility, and perhaps most important of all, the backbone to defend the precious goal of privacy. The European legal proposals go even further in trying to protect the DPO's independence, by providing the DPO with some legal protections against unfair dismissal.
Europe, once again, leads the world in creating privacy rules. Europe proposes many daft rules (e.g., mandatory security breach notifications sent to consumers within 24 hours!, as is currently proposed, get real!). But, Europe sometimes leads the world in creating rules that meaningfully improve privacy protections. In the decade ahead, let's work together to strengthen and spread the role of the Data Protection Officer.