The world of data security is a highly complex and fluid environment where businesses must set in place policies and procedures that are proactive, rather than reactive to the ever present threat of data security breach, as well as complying to an increasingly rigid regulatory framework. The need for C-suite level data protection officers is only one of the requirements of the European General Data Protection Regulation or GDPR. Unlike the current Data Protection Directive, GDPR will also apply to organisations or “Data Controllers” based outside of the European Union.
The European Union is not the only region that is beginning to take notice of the fact that data protection legislation is well overdue. In Singapore, the Personal Data Protection Act 2012 (PDPA) mandates that organisations are required to designate at least one individual, known as the Data Protection Officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA.
Other countries in Asia, Southeast Asia and Oceania have also instituted similar legislation, to a greater or lesser degree. For instance, in Australia the approach to data privacy and protection is currently made up of a mix of Federal and State/Territory legislation. Although there is no requirement for organisations to appoint a Data Protection Officer, but it has been noted that it would be ‘good and usual practice under the current law’ and guidance has been issued by the Privacy Commissioner strongly recommending it.
Need for a Data Protection Officer
Given both regional and global concerns surrounding data protection, the importance of appointing a suitable Data Protection Officer is becoming more and more urgent.
However, even the most qualified Data Protection Officer cannot act in an institutional vacuum. If a proactive stance towards the issues surrounding data security is to be maintained then it is essential that a core team of DPO’s, IT staff and other information security professionals need to work closely together. This is especially important given the onerous nature of the compliance required by the GDPR.
In terms of the regulations governing the functions of the Data Protection Officer it is strongly recommended that the Data Protection Officer be a C-Suite level executive, reporting to executive management, furthermore the DPO should have autonomy, the related budget and the necessary resources and decision making powers to execute data protection plans, address issues of non-compliance and report these issues to the relevant Data Protection Agency.
The DPO support structure
The task of the DPO is further complicated by the requirements for the handling of the data itself, as well as the associated processes mandated by the GDPR. There are several requirements regarding access to the data, the security of the data, the development of a remedial plan in the event of a data breach, regular audits, as well as handling changes to the data. Compliance will result in a significant drain on organisational resources. It is simply not possible for a single employee to handle all aspects required to achieve compliance.
It is only through close coordination between the DPO, IT, information security and compliance staff of the organisation that these requirements can be met on a day-to-day basis. This requirement for an integrated and aligned support structure becomes even more urgent when the functions of the DPO are handed to someone with existing work responsibilities, as has been the case in the past.