When should you hire a DPO?
When facing the reality of complying with the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) many companies realize that they need to appoint or hire a Data Protection Officer (GDPR) or a Privacy Officer (CCPA) to initiate the process of compliance and then administer regular activities to ensure that compliance is maintained.
They want to understand what qualifications and experiences are required for a successful candidate. The resource website GDPR.eu has an excellent checklist for qualifications necessary for a Data Protection Officer.
Those qualifications include:
- Substantial senior leadership and organizational skills, with the ability coordinate the activities of multiple entities that may not report directly
- Substantial experience (5 years) drafting privacy policies, technology reviews and other documents in support of establishing and sustaining a compliance program
- Hands-on knowledge of IT systems and infrastructure, including certification requirements
- Demonstrated written and verbal communications skills for interacting with a wide variety of stakeholders
Clearly this calls for senior, well-trained and broadly experienced individuals, and for some companies it may require a staff of specialists, including legal and technical. Now that CCPA has become law in the US (as of January 2st, 2020), more companies will begin seeking out these qualified workers for Data Privacy Officer, and those subject to GDPR will also need to see about appointing a Data Protection Officer.
What is the salary for a DPO?
Senior leaders qualified to fill the appointment of Data Protection Officer will command six-figure salaries, a difficult addition for an small to medium sized business when that person is needed to manage the privacy program full time in house.
Salaries for Chief Privacy Officers in the US are increasing faster than those for Data Privacy Officers in Europe, perhaps due to the scarcity of individuals available with the skillset needed for this new role. The International Association of Data Privacy Professionals (IAPP) 2019 survey shows that a well-qualified CPO can command $200,000 per year in the US. Globally, privacy professionals overall saw salaries increase to over $123,000 per year.
According to Gartner:
“The people with the right skills are highly sought after by companies around the world. After all, the profile of data privacy has risen rapidly over the last few years, yet it takes time to acquire the training and experience necessary to become a seasoned privacy professional.”
Forbes Technology Council agrees that:
“Hiring a qualified DPO is a challenge, especially for small- and medium-size businesses. The right candidate should have management-level experience in cybersecurity, IT and/or governance, risk and compliance.”
This spells trouble for companies who control large amounts of data and have to comply with the GDPR, but have few executives commanding salaries in those ranges. In some companies there is the possibility that the compliance team will be the highest paid organization in the company.
Consider Outsourcing the DPO Role
Many companies will find their solution in outsourcing the role of DPO, which is a circumstance that the GDPR does allow for since independence and reporting structure are key. Specially trained and experienced senior consultants can fill the role of senior leader, organizer and supervisor of specialists trained and assigned to the day to day responsibilities of maintain privacy compliance with GDPR and/or CCPA.
In addition, there are SaaS-based solutions available from third parties, which can include comprehensive tools for developing the required documentation of processing activities paired with expert support, legal and technical resources. In today’s competitive climate, businesses around the globe have looked to outsource non-mission critical tasks to third parties as an economical alternative to hiring and training in-house staff. For privacy compliance, this may be the best alternative for many companies.
Contact us today to learn how your company can benefit from an outsourced data protection officer or chief privacy officer.
GDPR checklist: gdpr.eu/data-protection-officer/
California is safeguarding children's online information from exploitation by corporations by introducing the Age Appropriate Design Code Act requesting a Privacy Impact Assessment.Information Needed For Companies for the Whistleblower Directive
Initially, the EU Whistleblower Directive was supposed to be effective by December 17, 2021. However, the legislative process failed.Right of Access by the Data Subject
The right of access, enshrined in Art. 15 of the GDPR, gives data subjects the right to obtain from the controller.