Regulations, changing consumer attitudes, distrust and cases such as the Facebook Cambridge Analytica story add to shifting privacy and data protection sentiments. The need for data protection professionals and knowledge/practice exchanges within privacy ecosystems are key. A series of European data protection conferences enables it.
Personal data protection, privacy and compliance with regulations such as the GDPR and the ePrivacy Regulation are ongoing efforts. They are not about just deadlines, avoiding administrative fines, enabling the exercise of data subject rights and projects.
Attitudes regarding privacy and the usage of personal data are changing since several years. Regulations play a clear role but they are not alone. Personal data protection is a journey amid a changing mindset across the globe and data protection officers and the ecosystems within which they work (internal and external) are key in it.
Although many organizations already had data protection officers (DPOs), which is far from a novel function and notion, the number of DPOs certainly has increased as a consequence of the GDPR and other laws in a global environment where privacy and the protection of personal data has become increasingly important.
While before the GDPR only a few countries across the globe, such as Germany, had laws that made a Data Protection Officer mandatory, under the GDPR it’s mandatory in several cases. This doesn’t mean that organizations which don’t fall under the conditions that make a DPO mandatory don’t have DPOs, well on the contrary.
For many organizations it’s also hard to fill in the DPO position. Looking at it from the GDPR perspective there are several options. However, given the rising attention for privacy in recent years and certainly with the GDPR, there is a shortage of DPOs.
Why the attention for privacy and personal data protection will continue to grow and DPOs remain in high demand
Furthermore, it doesn’t look as if the attention for privacy and personal data usage and protection is about to drop after the GDPR, ePrivacy Regulation and so forth. And it doesn’t look as if it will be just a matter of the EU and other countries/territories with strong privacy laws, such as Canada.
Two names to make that clear: Facebook and Cambridge Analytica. The story of Facebook and Cambridge Analytica was well known since quite some time except for some details. Yet, it didn’t really got much attention despite several professional journalists having done some serious digging and reporting in leading news media. It took time before it went global and as it now clearly has due to a mix of events and changing circumstances.
We see it as an additional trigger for growing awareness regarding the usage of personal data and privacy overall (we’re pretty sure Mark Zuckerberg regrets having said that in the age of social networks privacy was no longer a social norm and expectation of people back in 2010), the need for data protection laws and most probably more effective privacy laws in countries where perhaps the attention for personal data protection was less outspoken so far.
The reason of the turning tide is clear: on top of an increase of distrust in recent years overall, Facebook, which won’t perish despite the #deletefacebook calls and Elon Musk deleting the Facebook pages of Tesla and SpaceX, simply has become an essential platform for loads of people, a part of their lives. One can even say that the Facebook and Cambridge Analytica story has more effect on people than breaking news on yet another personal data breach, which for many sadly enough seemed almost like a new normal.
The shortage of DPOs, filling in DPO positions and the shaping of DPO communities of knowledge/challenge exchange and of privacy teams
Taking all this into account it is a good time to become a certified data protection officer as a next career move indeed. On top of all the new data protection officers being certified as a result of GDPR, there are of course many people who have been DPO – or fulfilled that role without explicitly carrying that title – since a long time.
They have different backgrounds and are active in various departments: risk, legal, compliance, IT, security and many others.
A while ago we participated in a DPO round table with some data protection officers (again, not all carrying that title but effectively being one in practice; the GDPR doesn’t say that in order to be a DPO you need to be certified as one under a specific program) of large companies.
It once more was striking to see how de facto DPOs are eager to convene, share best practices, share their concerns and look to understand how others would deal with them and really form a community.
In fact, as 1) there is a clear increasing demand for DPOs, 2) there are ever more DPOs in organizations where personal data processing occurs, 3) there is a shortage of DPOs, 4) there are external parties specializing in providing DPO services to several companies (DPO as a Service) and 5) there are data protection teams, including third parties such as consultants, data privacy experts, lawyers etc. and/or internal legal teams, information governance professionals, cybersecurity experts and so on which are de facto involved and get trained to work under and with a DPO, these forms of knowledge sharing are essential.
Supporting a series of European data protection conferences: connecting the stakeholders and facilitating exchanges
It’s exactly why we decided to partner with the organizers of this – and other – DPO round tables who are about to kick off a series of European data protection conferences under the name DPO conference.
Why? Because it truly matters to not just hear experts from different backgrounds but also to convene representatives from all involved stakeholders in the broader ecosystem: from governments and data protection authorities (DPAs) to the academic world, lawyers, providers of DPO services, security experts, information governance experts and, most obviously, the people that watch over compliance, privacy and personal data protection within their organizations: DPOs and the teams, internal and external, they work with.
And let’s not forget the fact that as the European Commission puts it, on top of a concerted effort with several steps and GDPR awareness initiatives, succeeding in GDPR is most of all a matter of people with the know-how and experience to collaboratively strive towards GDPR compliance in a ‘concerted way’ as well, whereby the GDPR articles and GDPR recitals are one thing and practice definitely another.
With speakers at the Brussels DPO conference which kicks off the series of European data protection conferences such as the Belgian Secretary of State for Privacy Philippe De Backer (politically responsible for the local DPA); global data analytics guru, formerly member of the IAPP Training Advisory Board, DPO, Data Governance & Privacy Engineer and DPO trainer at the Maastricht University (among others), Aurélie Pols; Sentiance DPO and President of the Professional Association of Belgian DPOs Bart van Buitenen; privacy law expert Prof. Dr. Paul de Hert; ICT & Data Protection Lawyer (and external DPO) Johan Vandendriessche (among the first to have intensively worked around the ePrivacy Regulation) and DPO and Data Trust Associates (which among others has a DPO as a Service value proposition) co-founder Christoph Balduck; on top of obviously more DPOs, including attendees, and more privacy experts (the program isn’t final), the organizers succeeded in setting the scene for knowledge exchange and loads of interaction in a community approach.
After the Brussels event the European data protection conference series will go to other cities so stay tuned for the dates and more info.
All images are the property of their respective mentioned owners.