The General Data Protection Regulation (GDPR) mandates that you have a Data Protection Officer (DPO) - Are You Ready?
(Originally appeared in the August 23, 2017 'Across the Board' Publication Reaching 22,000+ Savvy Business Leaders In Over 65 Countries - sign up here)
In May of 2016, the European Union GDPR (General Data Protection Regulation) was approved and signed into law providing additional privacy and information control for citizens based within the European Union. This regulation is not only unprecedented, but also complex legislation that will "have a dramatic impact on how global firms process, store, disseminate and purge the personal data of EU citizens" as of May 25th 2018, the effective date. The GDPR consists of 99 Articles categorized in 11 Chapters (huge) and is a major update from the outdated and technologically-defunct regulations drawn up 20 years earlier.
The General Data Protection Regulation is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU.
So why should you care about a regulation initiated and seemingly applicable only to the EU? ...Because GDPR does not just impact European firms. Organizations outside the EU will need to comply with the GDPR if they control, process or store any EU residents' personal data. That's big. And this legislation is already becoming the new standards bar for companies around the world regardless of what country/countries they reside in. In terms of data security, data handling and data storage, most local jurisdictions outside of the EU don't even come close to the level of mandates and requirements that the GDPR requires, hence making GDPR the most comprehensive and detailed regulation to-date globally. "GDPR has put an even deeper focus in recent months on cybersecurity and data protection as the May 2018 deadline gets closer," said Samantha Drake, the Director of Sales at LIFARS, a global digital forensics and cybersecurity intelligence firm based in New York City. "Our clients have not been shy in requesting assistance to ensure their data security compliance."
Potential penalties, you ask, if your company is not in compliance? Steep.
"Both [data] controllers and processors are regulated by the GDPR," mentions Professor Daniel J. Solove, the John Marshall Harlan Research Professor of Law at George Washington University Law School, in his article 'The Hidden Force That Will Drive GDPR Privacy Compliance.' "And, controllers are on the hook under GDPR if they do not ensure that vendors who process their data do so when compliant with GDPR." Think you are protected if one of your data vendors is out of compliance? Well, you're not. GDPR is not playing the 'wasn't our company's issue' game anymore.
Main summary areas of GDPR:
Number 7 is extremely interesting - For public authorities as well as companies processing large amounts of special categories of personal data, the appointment of a Data Protection Officer (DPO) is mandatory. Organizations are expected to hire someone who has real expertise and knowledge of the latest laws and practices.
A Data Protection Officer (DPO) is an enterprise security leadership role required by the GDPR. DPOs are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
The DPO requirement has spawned some interesting discussions among CIOs, CISOs, CDOs, CTOs and a host of other technology and data-related C-Level titles in terms of responsibilities and pecking-order, but as Article 37 points out, "the Data Protection Officer may be a staff member of the controller or processor, or fulfill the tasks on the basis of a service contract." The 'service contract' mention in that sentence gets my entrepreneurial juices flowing as there is likely much opportunity here for service providers to offer end-to-end solutions in this space.
So, my recommendation to boards, board directors and their subsequent guidance to their organizations and CEOs regarding the DPO?
What will you consider when evaluating your DPO?
Reach out directly to Mark A. Pfister to discuss your Board's GDPR and DPO strategy.
Mark A. Pfister, Chairman & CEO
About the Author: In addition to sitting on numerous Boards, Mark A. Pfister is a certified Board Director and advises public, private and non-profit boards in efficient and effective operations. He is the inventor of the 'Board as a Service' (BaaS) engagement model and an expert project/program manager frequently consulting on strategic global initiatives... <bio>>
Have Mark join you on his National Speaking Tours:
'Building an Effective Board For Your Company' shows business owners and leaders the immense value of creating or rebuilding an experienced 'go-to' Board of Directors or Board of Advisors - and most importantly, how to do it via a step-by-step roadmap. Make your company soar with the right foundational elements of an effective Board.
'The Strategy of Strategy' guides you through the 2500+ year history, evolution and next phase of Strategy - 'Amorphic Strategy.' Learn why strategy is so relevant to you personally as well as your business. Build and leverage your business strategy as well as your own strategy to see how these focused efforts will help you thrive and reach your full potential. (speaker video)
Here's Some Additional Reading