Data Protection Officer Role Will Be Key If You Operate in the EU

Organizations that operate in the European Union (E.U.) may soon be searching for candidates for a new role mandated by law: the Data Protection Officer (DPO). As currently described by the proposed legislation, the DPO role would require a seasoned professional with credentials in the security trenches, reporting directly to the board of directors. With the potential for a land grab of qualified candidates, organizations may want to begin defining their needs now.

"The CEOs, or whoever's running this business, are going to be responsible for hiring people that can communicate," says Patrick Clawson, a veteran of the security industry and chairman and CEO of Lumension Security, a specialist in endpoint management and security. "There are a ton of very smart people who get IT security, but they don't have the ability to make it viral among the employee base. They have to be passionate about credentials and be good communicators that can work with the people in the business and the executive team. This isn't a role for someone right out of college."

Many of the qualified candidates will come out of large consultancies like Capgemini and IBM, Clawson says, noting that organizations will want to make sure they have a seasoned professional because the proposed legislation would have serious teeth. The European Commission (E.C.), which published a first draft of the new data protection legislative package in January, has proposed hefty fines for non-compliance. A provision would allow national supervisory authorities to send a warning letter for first offenses, but serious violations (like processing sensitive data without an individual's consent) would allow those supervisory authorities to impose penalties of up to $1 million or up to 2 percent of a company's global annual turnover.

"To be fair, if you're going to put something in place, if there aren't teeth it won't happen," Clawson says. "The most successful U.S. legislation like HIPAA and PCI have big hairy teeth."

The E.C.'s proposed legislative package is intended to both harmonize the data protection laws across the E.U. member states and update them to address the new technological reality (like cloud computing). Currently, data protection in the E.U. falls under the Data Protection Directive, adopted by the E.C. in 1995. As a directive, it provided a list of issues the E.U. member states should address with their own legislation. That left each of the 27 E.U. member states to implement their own varying versions of data protection laws. The new legislation would replace those laws with a single set of rules that would govern data protection across the E.U.

One of the new laws would require all private sector companies with more than 250 employees, all private sector companies whose core activities involve regular monitoring of individuals and all public authorities to formally appoint a data protection officer (DPO).

The Data Protection Officer Role

"The data protection officer must be empowered by the organization to act as an independent assessor of its compliance with data protection laws and report to the board of directors in doing so," say Ulrich BÃƒÂ¤umer and Stephanie Ostermann of the International Law Office, an online legal update service for companies and law firms worldwide.

"The E.U. regulation specifically requires the data protection officer to coordinate data protection by design and privacy impact assessment initiatives and to be responsible for data security initiatives generally, say BÃƒÂ¤umer and Ostermann. Responsibility for training staff is also mentioned as important. In short, the data protection officer must ensure that his or her organization has adopted good data governance policies and procedures."

The new legislation would require organizations to demonstrate that they have undertaken regular data protection audits and privacy impact assessments using recognized industry standards, including demonstrating that privacy compliance and risk mitigation steps have been implemented before putting in place new processing systems and activities.

Implications of a Data Protection Officer Staff

With such a broad mandate, and severe penalties for noncompliance, Clawson warns that organizations should be prepared not only to hire a DPO, but a staff to help the DPO carry out his or her duties.

"The implication is there's a staff behind this person," he says. "Right now it looks like they're going to impose a whole bunch of controls that are apparently going to be legislated with a whole bunch of penalties. There's going to be some layer of staff that goes with that on top of the technology purchases and the documentation required."

Data Protection Steps to Take Now

The new data protection laws have yet to take final shape, and most sources agree they won't be implemented any sooner than 2014. But Clawson says that shouldn't stop organizations from beginning their planning now. He suggests two steps organizations that do business in the E.U. can take right now to prepare.

"You've got to be watching what's echoing through the chambers in the E.U. and what you're hearing about possible changes in legislation," he says. "And you should begin looking at the strongest examples of data protection laws that currently exist within the E.U., like Germany and France, and try to measure yourself against those. I can't imagine it gets much worse than that."

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at tolavsrud@cio.com

Read more about legislation in CIO's Legislation Drilldown.