A year and a half ago I lamented the ICO for getting its data protection policies all wrong, so it is only right that when they do something right I give them credit. This month they have just given Sony a fine of £250k for the leaking of bank details during the PSN breach. The Register claimed it was because of their crap security. This would be the biggest fine ever (although it has slightly been beaten by a Brighton NHS trust who lost patient data and the text message spammers who were fined £400k – although that was cut in half due to one of the finees being bankrupt).
As we saw last time though, there is some new EU legislation coming relating to data protection, including given the ICO the power to fine by more than the current limit of £500k. One of the biggest new things to come is the insistence of companies over a certain size having a Data Protection Officer.
It’s interesting though, because this legislation is starting to look like it is too late. This year, 2013, will be the year when companies start thinking about hiring a Data Protection Officer, because at upwards of £250k fines for losing personal details, the ICO is no longer a trivial matter. It now becomes financially imperative from a risk management perspective for you to hire Data Protection Officer.
Let’s look at what this job will look like in more detail.
What does the EU say?
Article 35 introduces a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.
Note that if you are in the public sector or dealing with public sector data then you will need to have a Data Protection Officer. This will be a job role that virtually every company will have to employ in the near future. I’d strongly recommend that you think about doing it now.
Isn’t this a jumped up whistleblower job?
Is it a full time job?
In some cases, I think this will be a full time job. It will depend on what you will be doing with that person (more of that in a minute). However I fully expect that many companies will want to employ someone on a part time basis as part of another role to start with. I think the EU agrees with me as it suggests that the role is given to someone at a ‘Group’ level or that if they have other duties they are comparable.
The controller or the processor shall ensure that any other professional duties of the data protection officer are compatible with the person’s tasks and duties as data protection officer and do not result in a conflict of interests.
What will the job cover?
Getting into the real nitty gritty here. A data protection officer needs to be consulted any time that personal data is going to be processed or used. But this happens hundreds on a daily basis in the world of digital. You, looking at my website now, are having data collected about you – the data protection officer needs to understand this to a deep level and understand how the tools that we have in the background are going to process this information.
With that in mind, a Data Protection Officer must come from a similar background to the sort of place that a Web Analytics person will. They need to have the core understanding of:
- How the technology works that automates the data collection
- How the technology works that processes the data in the background
- Understand how data is stored in systems and how secure that is
- Understand what sort of things Marketing and Product teams will want to do with the data
- Understand what sort of processing of data will need to get those teams in a position to do this
- Understand what someone would see as a violation of their personal data