The rise of the data protection officer
The web of confusion over the requirements of the GDPR is enough to send anybody that is not data savvy into a tailspin. No wonder demand for DPOs is growing
Whether you buy into the terminology or not, big data by its most common definitions is real and is becoming increasingly complex. Not only are businesses upping their level of spend, according to a recent Gartner report, but more than three-quarters of companies are investing or planning to invest in big data over the next two years. When you combine that with an environment of tightening regulations, not least of which the EU's impending General Data Protection Regulation (GDPR) - the launch of which remains a topic of immense confusion - businesses need to start recognising the value and requirement of a data protection officer (DPO).
The ebb and flow of data is a priority concern for every organisation, regardless of the sector it operates in. Despite often attracting the most attention, focus is certainly not limited to the marketing industry. Most businesses don't consciously set out to break compliance regulations, but while businesses remain fully aware of the parameters they should be working within across all their operational activity, both internal and external, their ability to remain on the right side of the law will become increasingly harder to manage. Every organisation, therefore, needs to understand the regulations surrounding the collection, storage and application of data, especially if they are to operate in a compliant manner and implement strict best practices around data privacy.
So how will the GDPR shape the industry moving forward?
While the EU's attempt to unify data protection in a single law is admirable, it has sparked off huge debate. On the one hand there are concerns from consumer groups lobbying for greater controls on privacy and brands handling their data. On the other, doubts are being raised by brands that the proposed punitive measures on data protection will stifle innovation and investment, as well as their ability to connect with customers within the digital economy.
This web of confusion is enough to send anybody that is not data savvy into a tailspin. In fact according to a report published by FireEye earlier this year, only 20 per cent of organisations have put the necessary measures in place to meet the requirements of the GDPR. A DPO can help shed light on these complications and the contradictions surrounding them, as well as provide guidance and assurances that the company safeguards its data in a privacy-compliant manner. Ultimately their role and purpose is to offer advice on how to handle specific situations relating to the use of data.
It's important to note that this position doesn't need to be full time, nor does it need to be fulfilled by a lawyer, in fact it may be better if they don't practice law. The advice needs to be practical and based on a sound understanding of the implications any action or decision will have on the company, how it will be perceived and interpreted by its customers, the wider public, the media, associated companies and relevant trade bodies. This perception is critical to the business' overall brand image and its ability to conduct business. In an environment of increasing scrutiny about how brands use customer data, this should be a top concern for the executives of any boardroom.
The increase in the amount of data companies were able to collect in the pre-Facebook world pales in comparison to what is available now. Whilst that in itself has been enough to trigger conversations about the need for DPOs, the impending GDPR has strengthened the case for companies to start preparing for the changes it will bring and to get on top of their customer data. This is particularly important for brands who want to avoid the risk of reputational damage or the possibility of receiving heavy fines. The DPO is central to helping businesses develop in this regard. While large organisations have or are planning to make a raft of new hires in order to protect their organisations and ensure that they remain fully compliant to any change in regulation, there is a severe skills shortage across the EU that is making it harder to meet the increasing demand for DPOs.
At the moment it remains to be seen how the employment market will rebalance itself to address this gap. Whilst there are currently specific training programmes for DPOs in place across Spain and Germany, there are next to no options available to people in the UK for those wanting to enrol in a DPO programme. There is also little literature on what new skills will have to be learnt in order to help businesses avoid breaching these rules, although the IAPP (the largest privacy officers' association) do offer general training and certification of privacy professionals. These issues will have to be addressed as businesses race to not just remain compliant, but also nurture trust between them and their customers. One thing is clear, big data innovation moves at an incredible speed and the training programme will have to be dynamic, but also thorough and forensic to avoid any breach of data protection.
As the needs and requirements of the DPO intensify across the industry in European businesses, questions will continue to be raised about the parameters within which they operate. Even though there is no legal provision in the UK Data Protection Act, the fact that many companies are starting to voluntarily appoint data protection or privacy officers sends a signal that pragmatic companies are choosing to button up on privacy matters and using DPOs even when the law does not require them to.
Brands need to make sure they are taking these innovations seriously and understand how the presence of a DPO within their organisation will become extremely useful in ensuring compliance and best practice, particularly in terms of handling customer data. It does remain to be seen how the industry will move to satisfy this growing demand for DPOs and what impact this will have on consumers ability to freely trade their data in exchange for free services or a better online experience. However, with the ICO, magic circle law firm Allen & Overy and many others increasingly calling for businesses to invest in a DPO, the debate is only going to intensify, especially as the GDPR legislation draws closer to being passed.
Dr Sachiko Scheuing is Acxiom's European privacy officer
Computing's Big Data Summit is on 17 March. Click here for details