2013 is the year of the Data Protection Officer

A year and a half ago I lamented the ICO for getting its data protection policies all wrong, so it is only right that when they do something right I give them credit. This month they have just given Sony a fine of £250k for the leaking of bank details during the PSN breach. The Register claimed it was because of their crap security.  This would be the biggest fine ever (although it has slightly been beaten by a Brighton NHS trust who lost patient data and the text message spammers who were fined £400k – although that was cut in half due to one of the finees being bankrupt).

As we saw last time though, there is some new EU legislation coming relating to data protection, including given the ICO the power to fine by more than the current limit of £500k. One of the biggest new things to come is the insistence of companies over a certain size having a Data Protection Officer.

It’s interesting though, because this legislation is starting to look like it is too late. This year, 2013, will be the year when companies start thinking about hiring a Data Protection Officer, because at upwards of £250k fines for losing personal details, the ICO is no longer a trivial matter. It now becomes financially imperative from a risk management perspective for you to hire Data Protection Officer.

Let’s look at what this job will look like in more detail.

What does the EU say?

Article 35 introduces a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.

Note that if you are in the public sector or dealing with public sector data then you will need to have a Data Protection Officer. This will be a job role that virtually every company will have to employ in the near future. I’d strongly recommend that you think about doing it now.

Isn’t this a jumped up whistleblower job?

Make no mistakes about it, this is not a whistleblower job.  This job is vital for the running of your business to a legal framework. If it doesn’t run to a legal framework it will not be a corporate whistleblower who gets you in trouble, it will be your customers.
Virtually all of the ICO’s fines have come from instances where the data of people has been put at risk and someone outside the company has found out. You will get found out if your company has lax privacy systems in place and you will get fined heavily.  The risk in this situation is not worth it.

Is it a full time job?

In some cases, I think this will be a full time job. It will depend on what you will be doing with that person (more of that in a minute). However I fully expect that many companies will want to employ someone on a part time basis as part of another role to start with.  I think the EU agrees with me as it suggests that the role is given to someone at a ‘Group’ level or that if they have other duties they are comparable.

The controller or the processor shall ensure that any other professional duties of the data protection officer are compatible with the person’s tasks and duties as data protection officer and do not result in a conflict of interests.

What will the job cover?

Getting into the real nitty gritty here. A data protection officer needs to be consulted any time that personal data is going to be processed or used. But this happens hundreds on a daily basis in the world of digital. You, looking at my website now, are having data collected about you – the data protection officer needs to understand this to a deep level and understand how the tools that we have in the background are going to process this information.

With that in mind, a Data Protection Officer must come from a similar background to the sort of place that a Web Analytics person will.  They need to have the core understanding of:

  • How the technology works that automates the data collection
  • How the technology works that processes the data in the background
  • Understand how data is stored in systems and how secure that is
  • Understand what sort of things Marketing and Product teams will want to do with the data
  • Understand what sort of processing of data will need to get those teams in a position to do this
  • Understand what someone would see as a violation of their personal data
Given the nature of being able to understand Business, Technology and Marketing it makes most sense for the person to be taught the way the law works (see what is a web analyst). Someone with a legal background will not have the inclination to learn all these things, someone with a technical background won’t have the inclination to learn the Business or Marketing perspective, whereas someone from a Business or Marketing background will just tell you to get it done and be damned (gross generalisation alert).

How will this affect our Marketing activities?

In most cases it won’t affect your marketing activities.
That’s because your marketing activities will already perfectly in line with people’s personal data.
But that doesn’t mean that the processes that you go through couldn’t be improved to make sure that there is no risk that someone’s personal information couldn’t be compromised.  This is what your Data Protection Officer will do.
They will be the layer inbetween the requirements of your campaign, channel, tactic, or whatever it is that you happen to be doing and the implementation of it. Even where you believe there are existing processes put in place you need to go and talk to this person.
This is actually why it makes the most sense to have your Web Analytics person in this job because you should be going to them anyway to ask them how you will report on it afterwards. They may tell you everything will work as standard, but at least they’ll be able to tell.  This will save you a lot of money in the long run.

But our Web Analytics person already has too much work

Then this is the perfect opportunity to hire someone (or hire another person) to do the job for you. Your Web Analytics person’s main job should be doing analysis to give recommendations on improvements to your activities to make more money. This almost makes the perfect business case to make that person more senior and give them more responsibility.
Of course if you haven’t started integrating your Web Analytics people into your Business Intelligence team then this is the ideal opportunity to do so.
Or of course you could hire a friendly agency to help out :)

Posted in Data Protection

Leave a Reply

Your email address will not be published. Required fields are marked *

*