Why is hiring a Data Protection Officer who ignores Data Science like buying an armored tank to drive around in circles?
If data is the fuel of the digital economy, Europe’s new General Guidelines on Data Protection provides a legal roadmap of what we can now do with the personal data of European citizens. Critical to this new legislation for all organizations that process personal and sensitive data will be the obligation to hire a Data Protection Officer (DPO). Employers beware, for hiring a DPO based only on their knowledge of the law won’t get you any closer to reaching your strategic objectives. Let’s look at the obligations, qualifications, and responsibilities of your future DPO before focusing on their need to understand the nature and the goals of Data Science.
The designation of a Data Protection Officer, before the General Data Protection legislation goes into effect on May 25h, 2018, is a mandatory requirement for private companies and private organizations. This new European legislation requires the appointment of a DPO for any company that processes or stores significant amounts of data on their European employees or customers wherever their place of operations. DPOs must be also appointed in organizations that regularly capture, store, or transform the data of European citizens regardless of their base of operations. Any non-military agency that regularly and systematically monitors personal data, as well as processes sensitive data (health, race, ethnicity, religion etc.) is also required to comply with the legislation. Given the scope of these requirements, it is of little wonder that a recent study concluded that 28 000 DPO’s will be hired in the coming months alone.[i]
The Data Protection Officer will assume a wide range of organizational responsibilities in front of consumers, employers, and stakeholders. The DPO will ensure the compliance of organizational data processes with GDPR. They will be asked to establish comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities. They will also conduct audits to ensure compliance and address potential issues proactively. The DPO becomes the single point of contact for employees and customers who wish to have informed them about how their data is being used, and what measures the company has put in place to protect personal information. Finally, the DPO serves as the point of reference between the company and the National Data Protection Authorities (NPA). [ii]
Despite such broad responsibilities, The European regulators offer little specific guidance on what qualifications a DPO candidate must bring to the table. Article 37 requires a data protection officer to have “expert knowledge of data protection law and practices.” Beyond that, the regulations suggest that the candidate should have a thorough understanding of an organization’s IT infrastructure and technology. The DPO must remain an independent council within the organization without direct responsibility for decisions concerning how data is processed.[iii] Public and private organizations may share the services of a DPO, but they are not allowed to hire a DPO on a short or fixed term contract.
Hiring a DPO with little knowledge of Data Science is likely to as ineffective and it is counter-productive. The DPO must understand why and not just how the organization is collecting personal and sensitive data. Technically personal and sensitive data doesn’t need to be stored in the organization all, for as long as the Data Science team has access to a unique referential they can reconstitute on demand the needed records from a variety of external data sources. He or she should never-the-less appreciate that Data Scientists are less interested in hoarding personal and sensitive data than in exploring how the relationships between individuals (or technologies) influence collective beliefs, or, motivations, and actions. The DPO should be a part of the Data Science team: for the legal requirements of GDPR aren’t constraints that limit its use of Data Science, but considerations that can guide its application in your business.
The DPO needs to look beyond the function’s responsibilities and obligations, to explore the larger picture of why the organization is collecting data at all. The success of any organization today depends on its ability to leverage data not only in understanding the past performance of the organization, but in predicting and influencing future maker trends. This developing data processes that promote analytics at every level of the organization: scanning the market context to understand the nature of their business challenges, qualifying the data at hand, identifying the right methodology to address the problem, and transforming the data into a call for action. DPO’s need to believe and evangelize the vision that data isn’t just an organizational by-product that needs to be monitored and controlled, but a transformational force that will help define how the organization will look at its market, its resources, and its bases of competitive advance for the foreseeable future.
A number of training centers can offer help and assistance in training future DPOs. An excellent source of information, benchmarks, and resources can be found on the EC websites, as well as those of the NPA’s (the CNIL in France).[iv] Several universities are beginning to offer short programs and/or executive degrees on the legal and technical roles of the DPO. Private consultancies are focusing the more practical issues of auditing, process improvement and reporting. At the Business Analytics Institute, we address the inherent links between data science and the practices of a DPO in our conferences, MasterClasses and DPO certificates. We strongly believe that hiring a Data Protection Officer ignorant of Data Science is like buying an armored tank to drive around in circles — you may feel well protected, but you’re not actually going anywhere.
Sign up for our new one-day MasterClass on becoming a Data Protection Officer. The practice of business analytics is the heart and soul of the Business Analytics Institute. In our Summer School in Bayonne, as well as in our Master Classes in Europe, our focus on digital economics, data-driven decision making, machine learning, and visual communications will put analytics to work for you and your organization.
Lee Schlenker is a Professor at ESC Pau, and a Principal in the Business Analytics Institute http://baieurope.com. His LinkedIn profile can be viewed at www.linkedin.com/in/leeschlenker. You can follow us on Twitter at https://twitter.com/DSign4Analytics
****************
[i] Heimes, R., (2016), Study: At least 28,000 DPOs needed to meet GDPR requirements
[ii] Jakubowicz, L. (2016), Data protection officer (DPO) : définition, formation et salaire
[iii] Lord, N., (2018), What is a Data Protection Officer (DPO)?
[iv] See for example, The DPO Corner