Data protection professionals and organization management officers share a common question: Who should the data protection officer be? Some argue that a legal professional is most suitable for this role; some argue that an operations professional is the natural pick. This article suggests it’s not the background of a DPO but rather whether a data protection committee exists that would prove critical to an organization’s data protection efforts.
Why has the talk been about a legal professional?
First, let’s review why there has been such a strong call for legal professionals to take on this role. Under the EU General Data Protection Regulation, it is recommended that a person who understands the law and its requirements wear the hat of a DPO so as to aid with data protection compliance. This is logical: A legally trained person who understands the GDPR will be able to advise the organization and craft the policies and contracts so as to define the relevant legal boundaries and liabilities. However, this does not solve the problem of operational compliance.
Take, for instance, Facebook. Facebook is a listed company that obviously has a legal team to manage its liabilities, and yet the company is also under the greatest limelight for what is considered the largest personal data breaches. However, this does not mean that its legal team is incompetent. Instead, one should question if its business team, engineers and the rest of the teams are competent or even involved in the data protection management program, as well as if the legal team was consulted for projects.
Clique aqui e leia a matéria completa.