15 April Webinar: Horangi Director of Cloud Security Engineering presents Tackling The Biggest Blind Spots In Cloud Security
logo
Cyber Strategy

The 6 Essential Things Every Data Protection Officer Needs To Be Effective (Pt. 01)

Whether you are a veteran Data Protection Officer (DPO) or one appointed with little prior knowledge, it pays to learn the essentials for any effective DPO role in your organization so that you can anticipate and overcome common roadblocks in your role.

What A Data Protection Officer Does

While a Data Protection Officer (DPO) is fast becoming a critical role in every organization, it is not uncommon to see — especially in small businesses and startups — DPOs being appointed with little knowledge of what the job truly entails. DPOs are responsible for overseeing the privacy matters that concern an organization. This requires a breadth of knowledge spanning multiple domains including legal, IT, cybersecurity, data privacy, stakeholder management, and business analytics.

A DPO needs the support from multiple functions in order to meet their compliance needs, failing which the organization risks incurring a hefty financial fine or reputational damage.

Understanding DPO Basics

To be an effective DPO for your organization, the following is a list of essentials in any Data Protection work:

  1. Master Data Protection
  2. Gather Management Support
  3. Form a DPO team
  4. Conduct a Gap Analysis
  5. Build a Data Protection Management Program (DPMP)
  6. Run the DPMP

Self-explanatory as the first three steps may appear, a DPO lacking adequate Data Protection knowledge, organization buy-in, or a core support team is lacking the fundamentals to drive privacy goals for the organization.

In Part 1 of this 6 Essential Things Every DPO Needs To Be Effective series, I will zoom in on the first item and what it really means to learn the ins and outs of data protection. I will also be sharing useful online resources that DPOs can refer to in their learning journey in these three areas — (1) Law & Compliance, (2) Technical Data Privacy, (3) Cybersecurity.

1. Law & Compliance

The very first thing that any DPO should do is to understand the laws or compliance standards that are relevant to their organization. Because organizations now hold data of customers across the world, it is no longer safe to just look at geographical boundaries alone to determine the privacy laws that your organization must comply with. For instance, a company based in Singapore might be regulated by both the Personal Data Protection Commission (PDPC) and Europe’s Information Commissioner’s Office that enforces the General Data Protection Regulation (GDPR).

Regardless of local law, data protection laws are fairly straightforward, and it is not necessary for you to memorize every single clause, but just the key requirements. As a DPO for an organization regulated by Singapore law, it is incumbent upon you to know the nine obligations of the Personal Data Protection Act (PDPA) at your fingertips, explain what they are and how they apply to your organization. If, for instance, your organization collects and stores all data within Singapore, you should then already be cognizant that the transfer limitation does not apply to your organization.

2. Technical Data Protection

While studying legal requirements, you may begin to wonder how exactly you can bring your organization to become compliant with those requirements, and what those necessary technical gaps are that you need to fill.

Such technical data privacy skills are necessary in order to build a Data Protection Management Program (DPMP). While a DPO is not required to be as skilled as a white-hat hacker or application developer, you do need to be equipped with the skills to:

  • Create and maintain a data map
  • Conduct a gap analysis
  • Design and enforce policies or processes
  • Train stakeholders
  • Conduct a Data Protection Impact Assessment (DPIA)

3. Cybersecurity

It is said that there is no privacy without security. Essentially, the heart of privacy is cybersecurity. Organizations that are mature in their cybersecurity posture would have already solved most of the data privacy issues. The same cannot be said of the better half of the other organizations that have DPOs hounding teams to implement adequate security controls.

To be an effective DPO, you need to have a fundamental mastery of cybersecurity. Rather than going deep in any particular cybersecurity discipline, it makes sense for you to focus on breadth in your learning, especially for the disciplines that apply to your organization. This will help you understand what and why certain security controls (such as conducting regular Penetration Testing on your organization’s applications and systems) need to be implemented.

To have a more systematic way of learning, it is recommended to follow a syllabus or certification. CompTIA Security+ is a good starting point and should cover the baseline of knowledge for DPOs. DPOs with a larger cybersecurity appetite can go for the Certified Information Systems Security Professional (CISSP) next.

A Continuous DPO Learning Journey

Data Protection is a complex yet important task for every organization. A lot more needs to be discussed and shared to better help new DPOs. Nevertheless, I hope that this article gives you insight and direction on where to start and proceed from here on out.

I have compiled a list of useful resources that is especially helpful for organizations regulated by the PDPC:

Yang JianGang

Jiangang is a CyberOps Consultant at Horangi and a Certified Information Privacy Technology specialist supporting customers from all industries in their privacy compliance program.

Subscribe to the Horangi Newsletter.

Hear from our Horangi tech experts as we go deep into up-and-coming cyber threats, new solutions, and talk about the future of cybersecurity.