The rise and fall of the DPO (Data Protection Officer)

Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 20 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.

So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining how to handle the GDPR is not straightforward. The 261 pages long is not known for its clarity. There is e.g. some confusion on the DPO. DPO stands for Data Protection Officer.

To be clear: Most organizations do not need to designate a DPO. Only if you are a public authority (e.g. government) or public body you must assign a DPO. Or you need a DPO if your core activities involve processing of sensitive data on a large scale or if your activities involve large scale, or if you are regular and systematic monitoring individuals.

The DPO should be some kind of safe guard to make sure a company takes the GDPR serious. But knowing how hard it is for security officers to act within companies it is hard to imagine that a DPO will have a better and easier position to act within a company.

Since privacy and security are and will and stay risk based a DPO will have a hard time to get support from the highest management level when discussion on acceptable risks will rise. The history from security breaches and the role and actions of security officers hereby are hopefully not a forecast for the way DPOs will act.

Privacy without good security is hard, if not impossible. So thinking about a DPO you might get the thought that this role is a new ‘pointless job’ invented by people working at institutions were ‘bullshit jobs’ are fully accepted. If you have not read it, please take notice of the hilarious, but good and serious research and book on the ‘The Bullshit Jobs Theory’ by David Graeber.

To make life for everyone who will deal with the GDPR a bit less complex I made a simple categorization of the DPO within different organizations.

DPO categorization

So in organizations that process large amounts of personal data to make profit you are screwed as DPO if your organization has low ethical standards on privacy and a low morality to be compliant with the GDPR.

This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!