NAN - Fotolia
Mandates create new GDPR roles, processes for compliant companies
As companies tweak IT processes to maintain General Data Protection Regulation compliance, the regulation raises questions about new, privacy-centric GDPR roles and responsibilities.
To maintain compliance with the EU's General Data Protection Regulation, companies have to incorporate new data privacy management processes, as well as decide who will be responsible for these new GDPR roles and responsibilities. There is certainly no solution across the board, however, according to attorney Nicholas Merker, a partner and co-chair of Ice Miller's Data Security and Privacy Practice.
Instead, companies must consider their own unique business needs and corporate culture when implementing GDPR-specific changes. In part two of this two-part Q&A, Merker discusses the new roles and processes being driven by GDPR compliance and offers strategies to help incorporate the changes.
Editor's note: The following was edited for clarity and brevity.
You mentioned new GDPR roles being implemented by companies as a result of the new compliance requirements. What types of new IT or data management roles are companies creating specifically to handle GDPR compliance?
Nicholas Merker: The GDPR itself has promoted this concept of a data protection officer (DPO) role. The role is actually not new, but there is a GDPR requirement that you designate a data protection officer if you fall under the requirements where you have to do so. The IAPP (International Association of Privacy Professionals) did a survey where they thought there were going to be 75,000 new data protection officer roles created worldwide because of those requirements.
One of the tasks of the DPO is to monitor a company's compliance with the GDPR. Companies are actually declaring a DPO and having that person kind of run point on their compliance program, or at least the monitoring of it moving forward.
Who is typically in charge of maintaining the data transparency and management requirements under GDPR?
Merker: I don't think there is one answer that you can apply to everyone. I've seen companies have a very successful privacy program within their information security program; although, I know there is guidance out there that says that it can be a bad idea because even though those disciplines overlap, they have mutually exclusive types of drivers.
Then I've seen privacy offices being within legal. In one client, a privacy officer was under HR. It really depends on what makes sense for the organization. When I usually answer this question for a client, I say that privacy office should be within the purview of whatever executive is most excited about GDPR or most excited about privacy and is going to put some real strength behind this group. If that's someone who you can identify and they are in the customer service team, your privacy office should be there to start. The way it can work for one company is not how it might work for another.
Nicholas Merkerpartner and co-chair, Ice Miller's Data Security and Privacy Practice
Are you noticing any complications for U.S.-based companies that are trying to remain GDPR-compliant when working with European customers? Did they have to quickly adopt any new data management strategies or GDPR roles to adapt?
Merker: Let's say you're a United States company and you have 50% of your revenue coming from Europe, but 50% of revenues coming from the United States. There are some companies that are tackling this by saying, 'OK, we're just going to treat 100% of our data as being within GDPR's scope and we're going to protect the U.S. data the same way.' If you take that approach, you might spend some extra money on something that you don't need to do from a legal perspective, but maybe you should do just from a consumer goodwill perspective anyway to protect that U.S. data.
Other companies are taking an approach where they do kind of a split-brain compliance -- where I'm going to have my EU compliance program, but it's only going to focus on EU protection requirements and my U.S. protection program is going to be completely different and align to the laws here, which are less onerous.
With that approach, I think that that creates just a lot of complexity. Companies that made that decision a year ago or a year and a half ago when they started down the GDPR path are potentially reconsidering that approach. It's causing almost more bureaucracy in your compliance program because you really can't have a fully split-brain approach in almost every company. Data coming from the EU is going to be commingled in some way with data in the U.S., or at least accessed by potentially the same types of individuals within the organization. It can create a lot of complexity if you try to have that difference.