GDPR Compliance Fuels Rise in DPO Demand

Published 28/02/2018

GDPR Compliance Fuels Rise in DPO Demand

The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018 and the intervening months will see businesses working away to ensure that they are compliant. The regulation presents a similar challenge to businesses as the Millennium Bug did, with an impending deadline, broad uncertainty and a general mood of panic.

With this atmosphere, it’s perhaps little surprise that there is a high level of demand for specialists to explain the issue and to direct the way forward. Businesses are searching for analysts, consultants and project managers with a firm grasp of what GDPR requires – and particularly those who are already GDPR-certified.

Under GDPR, businesses will need to have far tighter control over their use of customers’ personal data. Non-compliance may result in fines of up to €20m or 4% of global annual turnover – whichever is higher.

66% of businesses plan to hire GDPR related roles

Given this, it’s hardly surprising that there has been a rush for businesses to hire staff in an effort to get to grips with the law and what is required. Some 66% of UK businesses polled said that they planned to hire new permanent staff members to deal with GDPR, while 64% said they would take on temporary or interim employees.

It would seem like the threat – and the complexity – posed by GDPR is being over-exaggerated by some. For SMEs, GDPR compliance is likely to be relatively simple. A programme of centralising and de-duplicating personal data storage; instituting a culture of minimal data handling and communication; and ensuring that sensible security is followed, should mean that all the requirements are met.

For large-scale enterprises GDPR offers a more substantial challenge and there is potentially much more to lose. A first step is to establish what and where data is being stored and collected and by whom (especially given that this is likely spread across a host of domains and platforms, both managed in-house and through third-parties). 

A wait-and-see approach is highly inadvisable as consumers can be expected to begin to explore what is available as soon as the law is passed – while speculative litigation will likely be quick to test the waters.

Data protection and security skills roles in high demand

Given this, large businesses may well be taking on Data Protection Officers to manage the process – with GDPR predicted to create roles for 75,000 DPOs worldwide.

 

Public authorities; organisations that conduct wide-scale monitoring; and organisations that handle large amounts of sensitive data are formally required to have a DPO. In the current climate, and the post-GDPR landscape, DPOs with a strong IT background and a firm grasp of the law – plus the ability to communicate effectively – are doubtless going to have a lot of opportunities available to them.

At the same time, businesses of all sizes are likely to be investing in security and CISOs (and in higher budgets to attract experienced security experts). And while there are only limited numbers of individuals specifically certified in GDPR, businesses may well extend their reach to professionals with previous experience of managing compliance reforms.

Across the board and at all levels, however, there will be a need to supply GDPR training for all staff who come into contact with customer data. This may be achieved internally, though third-party providers may be able to step in to fill the gap, quickly and efficiently.

As the law doesn’t differentiate between manual handling and automated processing, companies working with AI (for example to optimise pricing on loans or insurance) will also want to take a close look at what they’re doing. This is something that becomes more complicated when machine learning is applied – as it may be ambiguous what an unsupervised AI is doing and why. Organisations with systems like these are hence likely to be making it a priority to provide documentation, so that processing can be systematically audited and explained.

When the dust settles on GDPR, and the consultants step away, there are going to be some significant, permanent changes to the way that industry operates. First and foremost will be a cultural shift to minimise the use and handling of personal data and to ensure that processing comes with explicit permission and justification. Post-GDPR, there will also be far more data protection officers in the world, as well as an enhanced security culture. What’s more, both fields are likely to carry a considerably increased amount of clout in the boardroom.

 

To find out how we can help you with your specialist GDPR and security technology recruitment please contact Alex Osei on 02036757777.