Why you need a data protection officer

Enforcement of the European Union's General Data Protection Regulation (GDPR) is set to start in about 18 months, giving regulators the ability to levy massive fines. Getting ready may require a data protection officer.

With enforcement of the European Union's General Data Protection Regulation (GDPR) set to begin on May 25, 2018, organizations that handle any personal data relating to EU residents must begin preparing now, if they haven't already.

Most organizations will need to designate a data protection officer (DPO), says Steve Durbin, managing director of the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management.

"The GDPR is putting data protection practices at the forefront of business agendas worldwide," Durbin said in a statement earlier this month. "Its scope is unmatched by any other international law, and we estimate that more than 98 percent of ISF members will be affected by its requirements because they process the personal data of EU residents, or are based in the EU. For most organizations, the next 18 months will be a critical time for their data protection regimes as they determine the applicability of the GDPR and the controls and capabilities they will need to manage their compliance and risk obligations."

The GDPR was adopted by the EU in April 2016 after more than five years of work to modernize the EU's data regulation. It applies to personal data relating to EU residents regardless of where that data is processed. It also defines the scope of EU data protection legislation. And, Durbin notes, GDPR gives regulators serious teeth — compliance costs and fines can reach up to €20 million or four percent of global annual turnover for the preceding financial year, whichever is the greater.

As such, it can affect your corporate risk profile. Durbin says it is essential for organizations to understand its impact as soon as possible.

Are you ready for data protection regulations?

To that end, earlier this month ISF released a briefing paper for its members, "Preparing for the General Data Protection Regulation." The briefing outlines data protection concepts and the changes introduced by the GDPR. It also describes the foundation of the ISF Approach, including the key requirements organizations should take into account when preparing their compliance programs.

The ISF Approach recommends organizations do the following:

  • Determine the applicability of the GDPR to their personal data processing activities.
  • Evaluate control requirements mandated by the new legislation.
  • Assess organizational capabilities to deliver the outcomes required by the GDPR.
  • Understand the financial and operational consequences of non-compliance
  • Prepare for compliance by May 25, 2018.

"In practice, organizations should have their GDPR preparations completed well before May 2018 in order to gain assurance from and provide assurance to third parties' requests," Durbin said. "This will require resources with the expertise and time to issue and process those requests. Data protection, legal and information security teams should plan for this task so that they are not overwhelmed with requests closer to the enforcement deadline."

The ISF says most organizations will need a DPO to guide them through the process, Durbin said. Because a shortage of skilled individuals is likely, and corporate hiring cycles are long, the ISF says organizations face a choice: begin recruiting now, identify an internal candidate and start their training now or seek external expertise to fulfil the role requirements.

ISF plans to publish a supplemental Implementation Guide in the second quarter that will aim to provide practical guidance and better prepare organizations with the ability to interpret the legislation, prepare for compliance and implement the required controls and capabilities.

Related video: 

SUBSCRIBE! Get the best of CIO delivered to your email inbox.