Article 37 of the EU’s new General Data Protection Regulation (GDPR) mandates any organization that stores and/or processes significant amounts of EU citizens’ personal data must retain a Data Protection Officer (DPO).
What is a Data Protection Officer (DPO)?
The role of the DPO is to oversee your data protection strategy and implementation to ensure GDPR compliance.
Who Must Have a DPO?
The GDPR mandate applies to organizations regardless of their size if they are:
- Public agencies or authorities (except courts).
- Private firms whose “core activities” include “regular and systematic monitoring” of data subjects on a “large scale,” including specifically the processing of data related to criminal offenses.
Data Protection Officer Requirements
Examples of “core activities” include:
- Payroll for EU employees, or the processing of EU patient health records.
- “Large scale” processing would include the processing of customer data by financial services firms or the processing of patient data by a hospital.
- “Regular and systematic monitoring” includes all forms of online tracking and profiling, as performed for diverse purposes like risk assessment scoring, location tracking, monitoring of physical data via wearables, and behavioral advertising.
While many firms have already hired or appointed their DPOs, quite a few have yet to do so. If you’re in the latter category, you need to get started bringing a DPO onboard immediately. The GDPR takes effect in May 2018.
Is a Virtual CISO the Answer to Your GDPR Compliance Challenges?
For small to midsized entities that must comply with the GDPR, lining up a virtual Chief Information Security Officer (vCISO) could be the ideal way to ensure GDPR compliance—while also addressing a host of other vital issues around information security policies and controls. A vCISO can fulfill the DPO role for well under 25% of the cost of a full-time employee, and without the potentially long and demanding talent search and the associated risk of hiring the “wrong” person.
A vCISO “as-a-Service” relationship gives your firm access to a team of experts acting as one person for your organization, plus gives you the name of a real individual to put on forms, meet with auditors and so on. At the same time, like many outsourcing relationships, contracting for a vCISO helps you strengthen your focus on core competencies and get more from existing InfoSec investments and skills.
If you’re faced with GDPR compliance challenges like the need to hire a DPO, don’t delay. Contact Pivot Point Security to learn about our three-tier vCISO service offering and how you can fine-tune it even further to precisely meet your business needs.