With prominent data breaches now seemingly a daily occurrence and the European Union’s General Data Protection Regulation looming, now is a good time to consider appointing a data protection officer (DPO). Such a position requires a unique set of skills, and good candidates are somewhat rare. If you’re on the hunt, here are some qualifications to look for.
For starters, consider where the position is within the organization. The DPO probably shouldn’t report to the information security department; the job is more expansive than that. A better bet is to have the role report to the chief data officer (if you have one) or the chief information officer.
The most important skill a data protection officer needs is diplomacy. While this may seem like an odd requirement for a data-oriented role, it’s essential. The first task a DPO will tackle is finding out where the critical information resides within the organization. Oftentimes, it isn’t in the master financial or customer records — it’s buried within individual departments like sales, supply chain and customer support. This information may be jealously guarded by line managers, so your candidate will need strong persuasive skills to make the case for giving up some control for the greater good of data protection.
Of nearly equal importance is the ability to understand complex laws and regulations. While successful DPOs don’t necessarily need law degrees, they must be able to understand how various regional and industry regulations apply to your company. This is a major task in itself. Consider that each U.S. state has its own set of regulations governing data breach disclosures. The DPO should be able to understand these nuances and work alongside your corporate counsel.
Next up is data management skills. Once critical data is identified, it must be roped into central data stores that can be audited and protected. This means working closely with the people in your organization who are charged with the technical aspects of managing data. While database administration skills aren’t a must, the candidate needs to be able to understand how data is structured and organized, as well as current protection mechanisms.
Finally, a DPO needs a basic grounding in information security. Most data breaches are the result of human error, such as using weak passwords, copying data to unsecured locations and falling prey to phishing attacks. The DPO needs to serve as an evangelist for good security practices. This is another area where diplomatic skills are useful. IT security personnel often struggle to speak the language of business users — the DPO can help by framing best practices in terms that business people understand.
As you can imagine, finding individuals with this combination of interpersonal and technical skills isn’t easy and qualified candidates don’t come cheap. If cost is an issue, consider creating an “Office of the DPO” made up of a team of current employees and new hires who can fulfill all the necessary criteria. The impending arrival of GDPR also presents an excellent opportunity to make the case to senior management for why data protection should be institutionalized. Keep in mind that the cost of the fine for a single GDPR infraction dwarfs the expense of prevention.