Data Protection Officer Role Will Be Key If You Operate in the E.U.

The European Union is considering sweeping new data protection laws that would mandate many organizations in Europe formally appoint a Data Protection Officer (DPO). To get ahead of the potential high demand for qualified candidates, organizations should consider defining their needs now.

Fri, June 01, 2012

CIO — Organizations that operate in the European Union (E.U.) may soon be searching for candidates for a new role mandated by law: the Data Protection Officer (DPO). As currently described by the proposed legislation, the DPO role would require a seasoned professional with credentials in the security trenches, reporting directly to the board of directors. With the potential for a land grab of qualified candidates, organizations may want to begin defining their needs now.

"The CEOs, or whoever's running this business, are going to be responsible for hiring people that can communicate," says Patrick Clawson, a veteran of the security industry and chairman and CEO of Lumension Security, a specialist in endpoint management and security. "There are a ton of very smart people who get IT security, but they don't have the ability to make it viral among the employee base. They have to be passionate about credentials and be good communicators that can work with the people in the business and the executive team. This isn't a role for someone right out of college."

Many of the qualified candidates will come out of large consultancies like Capgemini and IBM, Clawson says, noting that organizations will want to make sure they have a seasoned professional because the proposed legislation would have serious teeth. The European Commission (E.C.), which published a first draft of the new data protection legislative package in January, has proposed hefty fines for non-compliance. A provision would allow national supervisory authorities to send a warning letter for first offenses, but serious violations (like processing sensitive data without an individual's consent) would allow those supervisory authorities to impose penalties of up to ¬1 million or up to 2 percent of a company's global annual turnover.

"To be fair, if you're going to put something in place, if there aren't teeth it won't happen," Clawson says. "The most successful U.S. legislation like HIPAA and PCI have big hairy teeth."

The E.C.'s proposed legislative package is intended to both harmonize the data protection laws across the E.U. member states and update them to address the new technological reality (like cloud computing). Currently, data protection in the E.U. falls under the Data Protection Directive, adopted by the E.C. in 1995. As a directive, it provided a list of issues the E.U. member states should address with their own legislation. That left each of the 27 E.U. member states to implement their own varying versions of data protection laws. The new legislation would replace those laws with a single set of rules that would govern data protection across the E.U.

Continue Reading

Our Commenting Policies