What A Data Protection Officer Does
While a Data Protection Officer (DPO) is fast becoming a critical role in every organization, it is not uncommon to see — especially in small businesses and startups — DPOs being appointed with little knowledge of what the job truly entails. DPOs are responsible for overseeing the privacy matters that concern an organization. This requires a breadth of knowledge spanning multiple domains including legal, IT, cybersecurity, data privacy, stakeholder management, and business analytics.
A DPO needs the support from multiple functions in order to meet their compliance needs, failing which the organization risks incurring a hefty financial fine or reputational damage.
Understanding DPO Basics
To be an effective DPO for your organization, the following is a list of essentials in any Data Protection work:
- Master Data Protection
- Gather Management Support
- Form a DPO team
- Conduct a Gap Analysis
- Build a Data Protection Management Program (DPMP)
- Run the DPMP
Self-explanatory as the first three steps may appear, a DPO lacking adequate Data Protection knowledge, organization buy-in, or a core support team is lacking the fundamentals to drive privacy goals for the organization.
In Part 1 of this 6 Essential Things Every DPO Needs To Be Effective series, I will zoom in on the first item and what it really means to learn the ins and outs of data protection. I will also be sharing useful online resources that DPOs can refer to in their learning journey in these three areas — (1) Law & Compliance, (2) Technical Data Privacy, (3) Cybersecurity.
1. Law & Compliance
The very first thing that any DPO should do is to understand the laws or compliance standards that are relevant to their organization. Because organizations now hold data of customers across the world, it is no longer safe to just look at geographical boundaries alone to determine the privacy laws that your organization must comply with. For instance, a company based in Singapore might be regulated by both the Personal Data Protection Commission (PDPC) and Europe’s Information Commissioner’s Office that enforces the General Data Protection Regulation (GDPR).
Regardless of local law, data privacy laws are fairly straightforward, and it is not necessary for you to memorize every single clause, but just the key requirements. As a DPO for an organization regulated by Singapore law, it is incumbent upon you to know the nine obligations of the Personal Data Protection Act (PDPA) at your fingertips, explain what they are and how they apply to your organization. If, for instance, your organization collects and stores all data within Singapore, you should then already be cognizant that the transfer limitation does not apply to your organization.
2. Technical Data Protection
While studying legal requirements, you may begin to wonder how exactly you can bring your organization to become compliant with those requirements, and what those necessary technical gaps are that you need to fill.
Such technical data privacy skills are necessary in order to build a Data Protection Management Program (DPMP). While a DPO is not required to be as skilled as a white-hat hacker or application developer, you do need to be equipped with the skills to:
- Create and maintain a data map
- Conduct a gap analysis
- Design and enforce policies or processes
- Train stakeholders
- Conduct a Data Protection Impact Assessment (DPIA)
It is said that there is no privacy without security. Essentially, the heart of privacy is cybersecurity. Organizations that are mature in their cybersecurity posture would have already solved most of the data privacy issues. The same cannot be said of the better half of the other organizations that have DPOs hounding teams to implement adequate security controls.
To be an effective DPO, you need to have a fundamental mastery of cybersecurity. Rather than going deep in any particular cybersecurity discipline, it makes sense for you to focus on breadth in your learning, especially for the disciplines that apply to your organization. This will help you understand what and why certain security controls (such as conducting regular Penetration Testing on your organization’s applications and systems) need to be implemented.
To have a more systematic way of learning, it is recommended to follow a syllabus or certification. CompTIA Security+ is a good starting point and should cover the baseline of knowledge for DPOs. DPOs with a larger cybersecurity appetite can go for the Certified Information Systems Security Professional (CISSP) next.
A Continuous DPO Learning Journey
Data Protection is a complex yet important task for every organization. A lot more needs to be discussed and shared to better help new DPOs. Nevertheless, I hope that this article gives you insight and direction on where to start and proceed from here on out.
I have compiled a list of useful resources that is especially helpful for organizations regulated by the PDPC: