The rise of the data protection officer (DPO) in modern security was inevitable. The role has lay quasi-dormant for years outside of Europe but prompted by legal and ethical issues related to the handling of customer data -- think the General Data Protection Regulation (GDPR) slated to go live in three months -- its time apparently is here.
One requirement of the GDPR is that some organizations will have to take on a DPO either by hiring, appointing or contract. The number of DPOs is expected to spike immediately: A study last April by the International Association of Privacy Professionals (IAPP) estimated that more than 28,000 DPOs (24,000 in the private sector, 4,000 in the public sector) will be needed in Europe and U.S. and as many as 75,000 worldwide owing to the GDPR.
There are other indicators: DPO job listings in the U.K. have increased by more than 700 percent in the last 18 months, according to a Reuters report. Moreover, heavyweights such as Uber, Twitter and Airbnb are all advertising for a DPO. And, Microsoft, Facebook, Salesforce and Slack have told Reuters that they’re also looking to fill the role.
Why a DPO? Article 37 of the GDPR requires controllers and processors of personal information to designate a data protection officer when the processing is carried out by a public authority or body (except courts); or the controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data” (via IAPP).
According to the IAPP, the DPO requirement in the GDPR comes from a similar program in Germany that’s been active for 10 years. It’s new nearly everywhere else in the world with few exceptions.
“I got into security before anyone cared about it, and I had a hard time finding a job,” Jen Brown, the DPO at Sumo Logic, an analytics startup based in Redwood City, CA, told Reuters. “Suddenly, people are sitting up and taking notice.” Her inbox is now swamped by recruiters, she said.
What does a DPO do? (There’s more here).
- Inform and advise the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
- Monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
- Advise with regard to data protection impact assessments when required under Article 33.
- Work and cooperate with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
- Be available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
As an aside, job security is a major perk for DPOs. The GDPR “expressly prevents dismissal or penalty of the data protection officer for performance of her tasks and places no limitation on the length of this tenure,” IAPP said in a blog post.