The General Data Protection Regulation (GDPR) was created in order to guarantee protection of personal data and privacy for citizens of the European Union’s member states. The text, in effect since 2018, establishes quite rigid rules for any company that collects, stores and processes European citizens’ information in information systems, prescribing fines for those who slip up and allow, for example, a potential leak.

Six other nations, including the US, have followed suit. Corporations have already begun to prepare themselves, implementing controls and policies to avoid, among other things, leaks that could result in fines of up to $13 million per cyber incident.

Although the various nations’ laws have their peculiarities and differences, all have generated a new professional role in the market: the data protection officer (DPO). This professional is charged with administering a corporation’s entire flow of information, guaranteeing that it respects all current data protection laws.

“But what if my organization can’t afford to hire this professional?” some companies must already be wondering. In a recent update, the legislation authorizes companies to outsource this role to law firms, which have expertise in data protection and crisis management.

What does the data protection officer do?

The DPO is described in Articles 37, 38 and 39 of the GDPR. This executive responds directly to the company’s senior management and also interacts with local data protection agencies, serving as a bridge to ensure that everything in the corporation is compliant. The DPO must be appointed “based on professional qualities and, in particular, expert knowledge in data protection law,” in accordance with the European text.

Thus, the DPO bears the responsibility for supervising the company’s data protection infrastructure and is able to implement audits, counsel upper management, ensure that the technical team is duly trained to protect the information, remedy potential infractions of current legislation, and serve as a point of contact with the local authorities, responding as quickly as possible to any inquiries received. 

Having the help of such a professional is a competitive distinction that, in addition to conveying greater confidence to the market, may avoid a host of legal problems and ensure that your business is always conducted with a privacy-first mindset.

Characteristics of a DPO

Since this is an unprecedented profession, no one simply “graduates in data protection” already prepared to assume this role. A DPO must be an interdisciplinary professional who, in addition to having extensive legislative knowledge, also has data governance skills, mastery of the basic concepts of information security, and excellent ability in interpersonal communication—be that to communicate with regulatory entities, senior management or the company’s customers.

The most sought-after profile to assume this role is that of a person with some experience with information security and compliance, but who also is able to soak up basic knowledge in the field of law and is communicative, knowing how to transparently and clearly convey needed information both internally and externally.

A key professional

The GDPR and other similar legislation have served as a wake-up call for companies worldwide to see the need for building their business models based, from the ground up, on data protection. The supervisory authorities ensure that the legislation is being followed while cybersecurity teams deal with the more technical questions. But the data protection officer is now entering the picture as the key professional to make that connection and ensure compliance with the legal regulations.

Naturally, in the next few months the demand for that type of professional will grow exponentially—creating new opportunities for jobs with generous salaries. When the subject is data protection, especially when dealing with customer data, you can’t be too careful.