Who’s Your Data Protection Officer [DPO]?
That’s right, who is your Data Protection Officer or DPO? Under proposed European Union regulations your organization will need to appoint a Data Protection Officer if your company is based in, or does business in the EU; employs 250 or more persons or whose core activities consist of processing data. For years, the EU has had a DPO officer in each member state and in most EU institutions. The proposed regulations would extend the DPO position requirement to private organizations.
If you’re like me, an IT practitioner, you think of data protection as protecting your organization’s data assets with backup, offsite replication, security and encryption. EMC even has a Data Protection and Availability Division that employs thousands of employees dedicated to helping organizations protect data.
But that’s not really what the DPO requirement is about. In the EU, a Data Protection Officer is concerned about protecting the privacy and handling of personal data. In IT we think about the organization’s data assets whereas the EU’s General Data Protection Regulations are concerned with the people the information is about. And the fines for violating the regulations are significant; either 2% of an organization’s annual revenues or €100m for each infraction.
What are the data privacy regulations that you need to be concerned about?
Certainly your organization will need to seek appropriate legal advice; but, in general the precepts are based on right to privacy with respect to the processing of personal data, and that institutions shall not restrict or prohibit the free flow of personal data. There also are requirements that organizations that possess personal data to obtain permission to transfer data along with the individual’s right to be forgotten.
In some respects the regulations simply extend the responsibilities of IT’s stewardship of data. In addition to the data protection processes we employ today, we will need to add additional controls and capabilities. Over the next few months we will see more information in the media about the upcoming regulations.
How can you get ahead?
Be aware of the impending changes and start to think about the impact on your processes. Think about what you need to do differently, and be prepared to advise your compliance teams on the options and costs to implement. That’s the easy part. Implementation could disruptive if your controls and security is lax. But if you have been keeping up with best practices and advances in technology you should be okay.
Want to help your organization keep the cost down? Clean-up your data; get rid of data you don’t need. If you reduce the overall number of bytes in your house, the cost to protect and comply will be lower. Consider that the vast amount of data most organizations have has not been accessed in over six months.
The Federation Companies, EMC, Vmware, Pivotal, Virtustream, and RSA Professional Services can help you comply with the regulations and we can help you clean-up and retire old data. Reach out to your EMC Client Solutions Director or Account Team Rep to be directed to the right help.
The proposed Data Protection Regulations should be good news to most IT professionals. On the one hand it increases awareness of the 2-way stewardship relationship of data; to the people the data is about and to the organization that uses data as an asset. On the other hand it puts pressure on the organization to take data protection seriously; secure the data and implement appropriate governance controls. But at the end of the day, it’s all about stewardship of the data, and ultimately about you, the steward of the data.