A hiring boom of up to 75,000 DPOs (Data Protection Officers) is expected in the run up to May 2018, when the EU’s new GDPR takes effect, according to a survey published by the International Association of Privacy Professionals (IAPP).
The DPO role currently enjoys a modest footprint amongst European employers, and is almost unknown beyond Europe’s borders, but under the new regulations all European organisations except for SME’s will be obliged to appoint a DPO.
The GDPR clearly prescribes a number of rights and obligations attached to the DPO role, together with certain independent protections in terms of job security, an obligation to “cooperate with the supervisory authorities”, and a mandate that the jobholder must report “to the highest” level of the organisation. As such it is seen to represent a significant upgrade for the typical Compliance Officer role in terms of scope of responsibility.
The IAPP survey found that 40% of respondents planned to make their current lead privacy professional their DPO, while another 50% stated they planned to either appoint a new jobholder or train someone from elsewhere in the organisation.
The new regulation applies not only to the EU member states, but also to any country involved in the handling of EU citizens’ data. The issue of cross-border data transfers receives special attention in the text of GDPR, and is expected to spark widespread reviews of data processing contracts with non-EU based IT service providers.
Guidance published by the EU regarding the adequacy of 3rd party data processors based outside Europe points to a clear non-compliance with GDPR, unless the 3rd party supplier can clearly demonstrate a data protection regime of a similar adequacy to GDPR. Under the terms of the regulation, EU-based business are liable for ensuring such suppliers are compliant, or face sanction themselves, with fines up to 20m or 4% of global turnover for breaches.