As global organizations doing business in the EU settle into the second year of enforcement of the General Data Protection Regulation (GDPR), the sweeping data privacy rules have spurred a boom in the hiring of data privacy professionals in the past year. At the spear tip of this hiring spree are data protection officers (DPO), a role that’s been put fully in the spotlight by GDPR mandates.
Sometimes a legal role, sometimes an auditor and sometimes an enterprise risk or compliance officer, the DPO is a data protection and privacy champion for an organization. The purpose of the role is multilayered: The DPO is responsible for both educating and building awareness within an organization regarding how to protect the privacy of individuals during all stages of data processing. The DPO also serves as an auditor and watchkeeper for privacy practices and is in charge of keeping records on privacy controls and lapses. Additionally, the DPO acts as a point person for the organization to set up external communication with those wanting to exercise their data privacy rights or lodge complaints about how their data is being used.
The DPO position is not new—it’s a common role in Europe and was mandated for many firms operating in Germany prior to GDPR. But GDPR mandates have broadened the reach of DPO positions worldwide. According to research released a few weeks ago from the International Association of Privacy Professionals (IAPP), a surge in DPO appointments has taken place in the last year. Back in 2017, IAPP conservatively estimated that GDPR would create the need for about 75,000 DPOs worldwide. However, its latest research shows that the number of DPOs working in Europe alone is actually closer to 500,000.
Overall, the rise of the DPO is the tip of the iceberg when it comes to an overall surge of privacy professionals hired worldwide. GDPR is just one factor of many, as breach-weary consumers push businesses with their wallets and their political pressure to get serious about protecting data. Fortune reported data privacy job postings shot up by 80% last year, after four years of decline in these kinds of positions prior to 2018.
The widespread appointment of DPOs comes undoubtedly as a result of the broad requirements by GDPR for large organizations to create these roles. GDPR has a three-part test for organizations to determine whether they need a DPO. If the organization processes data as a public authority or body; if it conducts “regular and systemic monitoring of data subjects on a large scale”; or if processes a “large scale of special categories” of data such as personal data relating to criminal convictions, then it must hire a DPO.
The vagueness of the “large scale” description and the increased enterprise reliance on personal information for business analytics and digital transformation efforts are essentially pushing a wide range of global organizations to appoint a DPO. Some large organizations are bringing on multiple DPOs aligned with different lines of business, as well.
Some of these DPO positions are outsourced, while some are new hires. In many instances, these are existing privacy professionals who got an added title and official responsibilities. For example, there is a degree of overlap between DPOs and chief privacy officers (CPOs). However, a recent IAPP study shows that the average salary for a CPO is $220,000, while the typical DPO makes $88,000. The difference indicates the DPO lies farther down the totem pole, which could pose cultural problems for organizations if these professionals are too green or not influential enough to move the needle on privacy progress at their company.
“Just appointing a DPO isn’t enough,” said Trevor Hughes, CEO of IAPP. “Organizations must ensure that DPOs are trained and qualified to address one of the defining tech policy issues of our time: protecting privacy and individuals’ data.”
The question for security professions is, How much these privacy positions will overlap with and reach into their daily work lives?
While some professional chatter has bantered about the idea of appointing someone like a CISO as a DPO, the reality is that though these roles are highly interrelated, they’re distinct functions. As Guy Leibovitz of Cognigo recently explained in an opinion piece for SC Magazine, part of the role of the DPO is in “… actively auditing the advice decisions and policies of the CISO, as well as all other departments,” which would create a conflict in doubling up in those roles.
Instead, CISOs and privacy officers must learn to collaborate closely to work toward mutual privacy goals in their own function.
Sarah Taïeb, data protection officer at Ipsen Group, told Capgemini in an interview regarding how the dynamic works in her organization: “We meet very regularly to ensure that I review her IT policies, and she reviews my employee policies, for example,” she said. “It’s privacy by design, but it’s also security by design because if you don’t have security, you don’t have privacy. The first step is security to make sure that all of the personal data is secured.”