Data Protection Officer: Do You Need One?

Data protection is no longer the domain of the IT manager.

Enterprise organizations are dealing with larger data volumes, more data-dependent business models, and more unpredictable cyber threats than ever before. These pressures, along with new regulations passed in response to them, have moved the conversation about data protection from the IT department to the boardroom. One of the most visible signs of this shift is the emergence of a new role at corporations and government agencies: the data protection officer.

Regulatory obligations

Many organizations are adding data protection officers to their leadership teams in response to new cybersecurity laws. Most notably, both the General Data Protection Regulation (GDPR) in the EU and the recently-issued regulations for financial services providers in New York specifically require that companies appoint corporate officers with responsibility for data security.

The GDPR will apply—beginning in 2018—to any organization that collects or processes the personal data of EU citizens, whether the company is based in Europe or elsewhere. The law requires the appointment of senior-level data protection officers for government entities, and for companies that regularly monitor EU citizens or process sensitive personal information on a large scale.

New York’s regulations, NYCRR 500, apply to all organizations licensed by the state’s Department of Financial Services. Like the GDPR, the law requires that companies appoint corporate officers to oversee data protection activities. While NYCRR 500 uses the title Chief Information Security Officer rather than Data Protection Officer, the roles described by the two laws are similar in authority and responsibility.

Defining the role

Whether an organization is subject to the GDPR, NYCRR 500, or (as will be the case for many global financial services firms) both regulations at once, its data protection officer must report directly to the board of directors or other top-level organizational authority. The role can be filled by an employee or an outside consultant, but in either case the data protection officer’s job description must include certain key elements:

  • Maintaining involvement in all activities relating to data protection
  • Advising employees and executives regarding their data protection obligations
  • Monitoring the organization’s compliance with data protection mandates
  • Cooperating and maintaining contact with regulatory authorities

Meeting a higher standard

As with most issues related to data protection, regulatory obligations for data protection officers should be viewed as minimum standards. Companies that will be required to appoint an officer should design the role so that it has authority over all of the organization’s sensitive data, even where the data types or use cases fall outside their regulatory obligations. Organizations that are not legally required to appoint an officer for data security should consider creating an equivalent role to ensure that their information security gets the attention it deserves.

Long-term enterprise information security requires a top-down commitment to data protection and a deep understanding of an organization’s unique security needs. As cyber threats continue to evolve and more jurisdictions begin to regulate data security, corporate directors around the world will recognize the fact that every organization needs a data protection officer.