As EU Regulation Looms, Businesses Scramble for Data Protection Officers

As EU Regulation Looms, Businesses Scramble for Data Protection Officers

The EU’s General Data Protection Regulation (GDPR), which is scheduled to come into force on May 25, represents a massive overhaul of data privacy law throughout the bloc. The GDPR expands the reach of existing privacy regulations, applying not just to European organizations but to all companies processing the personal data of EU residents, no matter where the company is located. It also requires organizations to request users’ consent for data collection “in an intelligible and easily accessible form,” while granting EU citizens a number of new rights, including the right to access data collected about them and the “right to be forgotten,” or to have that data erased. Organizations caught violating the regulation will be fined as much as 4 percent of their annual global turnover or 20 million euros.

With the enforcement date of this massive new regulation just months away, “data protection officers are suddenly the hottest properties in technology,” Reuters’ Salvador Rodriguez reports:

More than 28,000 will be needed in Europe and the US and as many as 75,000 around the globe as a result of GDPR, the International Association of Privacy Professionals (IAPP) estimates. The organization said it did not previously track DPO figures because, prior to GDPR, Germany and the Philippines were the only countries it was aware of with mandatory DPO laws.

DPO job listings in Britain on the Indeed job search site have increased by more than 700 percent over the past 18 months, from 12.7 listings per every 1 million in April 2016 to 102.7 listings per 1 million in December. The need for DPOs is expected to be particularly high in any data-rich industries, such as tech, digital marketing, finance, health care, and retail.

Recruiting cybersecurity talent has already been a pain point for many organizations, including government institutions, requiring them to look beyond traditional talent pools by attracting more women into the field, taking in younger candidates who may not have the necessary experience, or getting creative in sourcing. The advent of data privacy regulations like the GDPR adds a new dimension to this challenge, creating new demand for talent with a sophisticated blend of technical and legal skills.

Nor is the GDPR the only such regulation around the corner. In the wake of high-profile data breaches like the one at the credit reporting agency Equifax last year, legislators in the US are exploring ways to hold companies accountable for the security of the data they gather on their customers and employees. New York State has already enacted strict new regulations requiring banks, insurers, and some other private companies to meet a set of minimum cybersecurity standards; other states are likely to follow suit, even if the federal government does not. The GDPR will also create new challenges for transatlantic employers affected by the Privacy Shield data sharing agreement signed between the US and EU in 2016.

Meanwhile, multinational companies could face market pressure from consumers outside Europe who want the same level of control over their personal data as the GDPR provides, as well as from their employees. Between the talent requirements these regulations create and their potential impact on the collection of employee data for the purposes of talent analytics, forming a strong partnership between the HR and IT functions is becoming even more essential.