The new EU General Data Protection Regulation is about to introduce a requirement for data processing companies to appoint a Data Protection Officer.The question is whether this requirement will contribute to your company better managing privacy-related risks – or is just additional piece of red tape?
My answer is that it all depends on who is appointed and how your company understand their role.
First, your Data Protection Officer should be a data privacy expert. Not your trusty HR officer who is good at keeping employee records. Not your beloved in-house lawyer who has just read data protection legislation for the first time and is wondering what it is about. And not your brilliant software engineer who is really good at programming databases.
Data protection and privacy is a way too complex topic and there is a reason for it to be becoming an industry on its own. Learning the key concepts such as data subject, data controller and data export is one thing. Being able to apply them in a complex business and technological environment is another. That is why you need your Data Protection Officer to be a seasoned data privacy professional.
Second, your Data Protection Officer should be directly involved in your company’s privacy risk management. Data protection goes well beyond a tick-box compliance exercise: when using cutting edge technology and Big Data analytics, it is way more likely to be shades of grey and associated risk assessment.
So instead of thinking of your Data Protection Officer as someone who drafts boring rules that no one ever reads, you should see her near the centre of your technology innovation and business development.
But unless you are a large enterprise, a Data Protection Officer who fits all these needs might be too expensive to employ full time. Outsourcing might be a better option. That is why Aphaia is jointly with partner experts such as JK Group already offering subscription to our outsourced Data Protection Officer service.
