Why Hiring For GDPR Is Harder Than It Seems

Finding answers to some of your most pressing questions

Hiring data privacy professionals, such as a Data Protection Officer (DPO) is an important step towards GDPR compliance. With the May 25 deadline around the corner, organizations should ensure they are taking the appropriate steps to meet compliance standards, including filling this critical role. Here are the answers to some of the most pressing questions around hiring data privacy professionals.

 

 

What are some traits organizations should look for when hiring for GDPR?

The most difficult trait to find in a potential DPO is an understanding of the technical challenges associated with data silos, and how to bridge across them. Yes, knowledge of the regulation itself is important, but it may ultimately be more effective to find someone with a mastery of solving architectural problems such as silos and train them on the details of the regulation, as opposed to vice versa. This is because the architectural component is the one with the longest learning curve.
 
As an alternative, if you can find someone who already has both qualities you may want to act quickly, because these individuals are truly rare.

Do you think organizations or potential candidates fully understand the rigors associated with the role?

Very few do. Although GDPR is rising on the list of enterprise priorities, many organizations don’t understand even a fraction of the technical challenges. There are many professionals out there who have read the regulation front to back and can recite every article, but few of them truly realize the degree to which today’s siloed architectures are resistant to GDPR compliance. It’s important to look for someone who understands how to bridge across data silos to manage data privacy on an enterprise level.
 
For example, take the matter of a simple Data Subject Access Request. If an individual asks you to delete their data, it’s not as simple as performing a search. Their data could lie in any number of different repositories, and if you’re planning to search them individually it’s going to be a long night. Even once you find it all, can you delete it? No, because you have to make sure it’s not being held for other purposes that might outweigh GDPR requirements—eDiscovery holds, records management, regulatory compliance, etc. These are all function-based silos with distinct data policies, and GDPR becomes a whole different nightmare if they aren’t unified. It’s important to have an effective method of reconciling these various policies, and an easy way to see which of them apply to a particular document.

We know the GDPR goes into effect on May 25 of this year. What should companies be doing in the meantime?

Organizations should be well on their way to implementing appropriate technologies and procedures for managing GDPR compliance which goes hand in hand with hiring the right people. This must be a holistic process, involving stakeholders from Privacy, Legal, Compliance, IT, and the C-suite.
 
From here, prudence calls for an assessment of where and how your organization uses personal data. In addition to the typical databases used for storing consumer data, you may find personal data in unexpected places such as file shares, SharePoint, print and scan folders, etc. It will be important that organizations are able to search and apply policies to data lying in all the various repositories.
 
You can think of the type of system required as records management on a much larger scale. Organizations have long classified and applied policies to traditional business records, which has allowed them to retain, manage and find companies’ most important documents. Expanding records management methodologies to the entirety of enterprise data will lay a solid foundation for managing personal data. Easier said than done.
 
Ultimately, any effective system for GDPR compliance will have to begin with controlling data at the document level, and there are a limited number of individuals who truly understand how to do so enterprise-wide: This is what makes hiring for GDPR deceptively challenging.

Author Bio

Kon Leong is CEO and Founder of information governance company, ZL Technologies. Connect Kon Leong