European Union regulation will likely spark a talent war for data protection officers -- and lead to a shortage.
A new European Union regulation is likely to spark a fierce contest for talent to fill the new post of data protection officer (DPO).
The new European General Data Protection Regulation (GDPR) carries substantial monetary penalties for noncompliance: fines of up to €20 million ($23 million), or 4% of a company’s total worldwide turnover for the prior financial year, whichever is higher, according to a client memorandum by London law firm Willkie Farr & Gallagher.
The GDPR creates a single European data privacy law, but enforcement lies primarily with national authorities. In a significant change, the regulation applies to data processed outside the EU that relates to the offering of goods and services to individuals in the EU, or the monitoring of their behavior.
Companies with more than 250 employees, or whose main business is processing data, must designate a DPO, who will be responsible for overseeing all data processes within the company and will be the primary contact point with the regulator.
Although the deadline for naming a DPO is not until May 2018, the race is on to find suitable candidates before a talent war erupts as the deadline gets closer. There already is a shortage of privacy officers in Europe. The International Association of Privacy Professionals estimates that at least 24,000 DPOs will be needed to meet private-sector demand, in addition to 4,000 in the public sector.
The DPO must be a highly independent position, reporting to top management, backed by sufficient company resources to fulfill the job function. The DPO is required to keep a register of all processing operations involving personal data carried out by the institution and must ensure that all processing staff are fully trained in protecting data. Individual EU residents have a right to obtain information about the processing of their personal data in a timely manner and, generally, free of charge.