My last journey into the GDPR jungle (see Is Goddam Privacy Regulations What GDPR Really Stands For?) suggested that most US companies will be unprepared for the regulatory vines that are about to entangle them, simply because they don’t know about GDPR and they do not know it applies to them. (In reality, it applies to any company anywhere who processes the personal data of EU citizens in any way.) One of the data points that led me to that conclusion was a search I did for Data Protection Officer (DPO) jobs in the US, using LinkedIn and a few of the big recruitment sites – more of which, later.
“What is a DPO?” you’re wondering. If you knew anything about GDPR, you’d know. It is an employee whose job is to ensure compliance with the GDPR. He’s the local data sheriff. All public authorities in the EU must appoint one and so must businesses whose core activities involve “regular and systematic monitoring of data subjects on a large scale” or processing of “special categories of personal data” of EU citizens.
The “special categories of personal data,” include such things as racial or ethnic origin, political opinions, religious or philosophical beliefs, and so on. (If you want a full definition read GDPR Article 9).
The DPO’s role (fully described in GDPR Article 39) includes:
- Informing and advising the business and its employees of their obligations under the law. (A DPO must know the law.)
- Monitoring compliance with the law, including managing internal data protection activities, training data processing staff, and conducting internal audits. (It’s the data sheriff role, with deputies if necessary.)
- Advising on data protection impact assessments when required under Article 35. (This refers to technology changes that might impact privacy. You have to work out the impact. Read Article 35, if you must)
- Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data. (This is a doozy. See below.)
- Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights. (Running the data privacy help desk.)
Point 4 should prompt you to ask the question, “What’s with this designated supervisory authority?” The back story is this: One of the goals of GDPR is to standardize data privacy laws across the EU. Because of that, every EU country has set up one or more supervisory authorities to provide guidance and enforce the law. This makes it easy for businesses with offices in more than one EU country. They can choose a suitable supervisory authority and can deal with that authority for all things GDPR.
And if you are outside of the EU, your DPO needs to connect with a suitable supervisory authority.
It is worth highlighting that just one of your GDPR responsibilities, as a business, if you hold the personal data of any EU residents, is to report a data breach which affects such data, within 72 hours of it being discovered.
And who is responsible for doing the reporting? Your DPO, of course.
And who to? To your EU supervisory authority, of course.
If you don’t have either and you suffer a data breach, what are you going to do? Ignorance of the GDPR law is no excuse.
Now is an excellent time to remind you that the penalty for GDPR violation is anything up to four percent of global annual revenue or €20 million, whichever is greater!
So let me now report the results of my job search on LinkedIn and various recruitment sites for Data Protection Officer positions in the US.
How many did I discover?
Kudos to you, Groupon.