Last Updated on March 16, 2023
If there’s one thing that can be confusing within the growing number of national and US state-level privacy laws, it’s the terminology and requirements for a Data Protection Officer (DPO), privacy officer, privacy lead, etc.
What is the nature and purpose of this role as it relates to an SMB looking to roll out a strong privacy program? Do you need to hire an attorney? What’s the right background for this position?
To give SMBs valuable tips and insights on how to launch and sustain a privacy program that aligns with business goals, a recent episode of The Virtual CISO Podcast features Jason Powell, GRC and Privacy Consultant at Pivot Point Security. Hosting the show is John Verry, Pivot Point Security’s CISO and Managing Partner.
Passion is a great credential
For most SMBs in the US, there is no mandated requirement that your privacy lead hold a legal credential.
“I’d like to throw out a tip for smaller organizations that really want to take a meaningful run at a privacy program,” offers Jason. “You do not need somebody with a JD behind their name. You do not need an attorney to be your privacy officer. In fact, probably a good percentage of my data protection peers in Europe who are literally at the Data Protection Officer level are not attorneys. They are people who came from technology backgrounds, or many from business, who have a passion for this. Or they got handed this and they said, ‘Hey, this looks pretty cool.’ And they dove in and are doing a bang-up job.”
“What you need is somebody who’s got passion and is willing to learn and try out new things and make connections around the globe,” Jason recommends. “In fact, a good place to start if you can’t afford an attorney is somebody who’s got paralegal experience. There are lots of opportunities out there to pick up somebody who can do the job, who is passionate, who can learn the job.”
Retrofitting a security geek? Not recommended.
One staffing move Jason does not recommend is trying to transform a dedicated cybersecurity geek into a privacy lead.
“It’s really, really hard to turn your average security practitioner into a passionate and effective privacy stakeholder or practitioner,” cautions Jason. “I’ll be the first to admit I’m a weirdo. I’m really the oddball among all my peers in Europe. I happen to be a policy and governance wonk by nature. So privacy suits me really well. But I’m kind of an outlier.”
Leveraging a virtual/fractional privacy officer
For organizations that can’t afford a full-time privacy officer, or that need a true Data Protection Officer for GDPR compliance, does it make sense to look for a virtual privacy resource?
“A fractional DPO or a virtual DPO is very workable,” Jason indicates. “There are definitely organizations in Europe, and probably in the US, that that’s what they do—they’re virtual DPOs. And there are also probably people who act as fractional or virtual privacy officers, which is the more generic flavor of that.”
But beware of terminology. Under GDPR, the DPO role is a specific, important and protected position.
“Articles 37, 38 and 39 of the GDPR talk all about the designation, roles and tasks of the Data Protection Officer,” Jason notes. “They have to be independent. They have to be able to walk into the C-Suite whenever they want, or attend board meetings and represent in a conflict-free way the privacy risks and issues of the organization. Really, they’re the last stopgap for the rights and freedoms of the data subjects that they represent.”
“So, if you’re building a privacy program, and you don’t have to comply with GDPR, don’t call yourself a DPO if you’re the chief privacy officer,” reiterates Jason.
When you do need an attorney for privacy
Because assuring compliance with privacy laws requires an understanding of the law, you may periodically need an attorney’s advice even if you don’t need an attorney to run your privacy program.
As Jason explains: “If you’re simply complying with ISO 27701, that’s a framework, that’s not law. I don’t think it’s terribly important to have an attorney running that program. But if you’re putting together a program and your intent is to comply with a law—no matter where it is—that requires at least a little bit of legal examination and legal interpretation.”
“For instance, I can provide a client with a reasonable explanation of a control or talk to them about how they may or may not be meeting that control,” Jason continues. “But I don’t have any standing legally to say, yes, they’re compliant with CCPA or GDPR.”
“It’s always good if you want to develop a robust, capable and continually improving privacy program to be able to reach out to an attorney who understands privacy, even if it’s not their specialty,” advises Jason. “If they can look at what you’re trying to comply with, and can offer a reasonable and legal opinion, that’s important.”
“It protects them,” John adds. “If you’ve done that due diligence and had a privacy knowledgeable attorney review something, in the event it was ever challenged you’ve done what you needed to do to protect your organization.”
To listen to this podcast episode with Jason Powell end-to-end, click here: https://pivotpointsecurity.com/podcasts/ep66-jason-powell-private-practices-how-to-prioritize-privacy-in-your-organization/
Interested in exploring whether a virtual privacy officer is right for your organization? The Virtual CISO Podcast has you covered! https://pivotpointsecurity.com/podcasts/how-data-privacy-standards-affect-your-business/