Do you hire or grow them? Finding the ideal data protection officer
8 min read
20 July 2018
After Cambridge Analytica and the rollout of GDPR, many companies are scrambling to fill the role of Data Protection Officer (DPO). Delphix's Eric Schrock gives advice on finding the right person for the job.
Data is driving massive innovation and growth in today’s economy, forcing data privacy and security into its rightful place in the spotlight. But data privacy is hard, with only the best leaders capable of navigating its treacherous waters.
While there are plenty of people who are versed in the tenets of information security, finding someone who understands compliance, technology and the implications of business. They need to understand the tension that exists between innovation and data security and how to enact a proactive strategy to ensure the business can operate safely at the speed needed to compete in today’s digital landscape.
Who is your ideal DPO? Do you hire or grow from within? When will we be compliant and how long will we be at risk? These are the questions asked by executives in boardrooms across the world, and getting the answers wrong can spell doom for your business.
Bringing the right skills
While GDPR does define some basic responsibilities, the DPO role is much broader than simply a compliance checkmark. A DPO must have an understanding of legal and regulatory frameworks, whilst also being able to understand all services and applications that are processing sensitive data.
Keeping up with the latest advances in machine learning and natural language processing, while knowing the intricacies of international regulations, requires the perfect blend between technological understanding and legal knowledge.
What’s more, this person should understand that there’s a greater inherent risk to the business than GDPR: innovation stagnation. Data drives innovation and when it does not flow throughout the business, it’s virtually impossible to operate at the pace needed to compete.
If this sounds like a unicorn hire, that’s because it is. These rare skills are putting pressure onto DPO recruitment. The Federation of Small Businesses recently reported that 22% of business owners think that a lack of digital skills is holding them back.
Rather than one person having all of these skills, the DPO function could be viewed as more of a data ombudsman, a role or collection of people who operate separate to the everyday working of the business. They should be committed to representing consumer data protection rights, and ensure that the company acts in the best interest of the individual to support growth and overall business goals.
Understanding the terrain
In developing this role, leaders must understand that data security and data privacy are related but complementary components of the problem. Security is primarily focused on preventing unauthorised access to data, such as encrypting data at rest and during transport to limit snooping.
Data privacy, on the other hand, is about reducing risk within the data that is made available, such as masking data to eliminate personal information.
Effective data privacy controls require understanding the different privacy domains within your company, the various security controls implemented within them, and the level of risk you’re willing to take on. As data passes from the user to your production application, from production to non-production, or to third parties, those are all points where you must assess and potentially alter the risk profile of the data.
Data privacy is messy, and as much as we want there to be a black-and-white answer of “there is no personal information in this data”, it’s ultimately unachievable.
Voice patterns and video can be personally identifiable, but technology to identify and mask them is severely lagging. What is sensitive to one person may not be to another.
Statistical analysis of masked data can still compromise privacy even if each individual record is secure. A DPO needs to be able to navigate the nuances of data privacy and be able to assess and communicate risk to others.
Leveraging the right technology
An effective DPO needs the right organisational structure to support them. This includes sufficient authority, resources and management support to be able to achieve the purpose of the position.
But it’s not just a people problem, technology is incredibly important as well. IT will need to be fully on board and ready to implement the technical aspects of compliance. Given the breadth of business divisions covered by the DPO and the complexity and value of data today,
DPOs will need to re-think their technology infrastructure. By understanding where data needs to be, the privacy domains it must pass through, and ways in which it will consumed, DPOs can design the ways in which data much flow and build the supporting technology to make it possible.
One emerging discipline that can help is DataOps. Through people, process, and technology, DataOps focuses on the efficient delivery of secure data to all that need it. It bridges the divide between those who collate data, those who use data, and those who interpret data to allow for innovation to flow.
There won’t be a single vendor which can provide a complete set of solutions, DataOps or not. But DPOs should focus on leveraging the right tools to establish a data platform. A platform allows teams to centralise data discovery, access, and governance policies, providing the DPO confidence and visibility while accelerating innovation.
Finding the right DPO is the hard part, but the way to ensure their success is to employ data management solutions that include data delivery, data masking, and on demand access to avoid innovation stagnation.
An existential threat
Data privacy will not go gently into the night. Data systems and algorithms are only getting more complex, privacy regulations more complicated. As society comes to grips with the implications, companies are going to be held more accountable, with increasingly dire consequences.
A new breed of leader is needed to shape the culture, tools, and processes required to truly embrace data privacy in every fibre of a company’s being. The Data Protection Officer is not just a GDPR mandate, it’s a core strategy that every company needs to embrace to survive.
Eric Schrock is CTO at Delphix.