Rise of the CDPO: How data protection officers became IT’s hottest property

Data is driving more disruption with every passing year. In 2017, cross-sector digital transformation specialists Capgemini polled leaders in finance, engineering and beyond: 64% of leaders agreed big data was changing traditional business boundaries and enabling non-traditional firms to enter sectors. From IoT to AI to marketing, data is the diesel that keeps the engines running.

With this rapid increase in data come worries about protection. The recently-passed GDPR has made it necessary for public authorities and some data processors to hire a Data Protection Officer (DPO). This person monitors compliance, informs and advises on data operations, acts as a point of contact for the public - and must be an adequately resourced expert in data protection.

Many firms are getting by with ‘accidental’ cybersecurity professionals. These IT, law, compliance or government professionals enter the field out of necessity and bring analytical clout, soft skills, and the ability to convert technical jargon to business value - but they’re often self-taught on the technical front. Deidre Diamond - founder and CEO of CyberSN and #brainbabe - explains that data protection is "behind in marketing and representing all of the jobs that exist - our schools have no idea about all of these jobs.” Addressing this means taking the image of data protection out of the dark room where the DPO sits alone, quashing hackers, and introducing what the DPO really does.

What is a DPO?

Any organisation which processes or holds large amounts of personal data - anything that can be used to identify a person - has to recruit a DPO. The DPO is responsible for educating the company and its employees on compliance requirements, training staff in data processing procedures, conducting security audits, and acting as the point of contact between the company, supervisory authorities and data subjects in the event of a data breach or request.

David Ponder, Blackberry’s global DPO, sums up the role thus: “You have to be flexible. You must partner with the business and learn from them - and always use more carrot than stick if you’re going to be effective. People need to believe that their actions matter, and understand they can have a larger organisational impact.”

Since gdpr made them necessary for many organisations, DPOs have been in high demand. Job listings for DPOs increased six times over following the rollout; job searches more than doubled, but supply is still dramatically lagging behind demand. Recruitment has become more and more aggressive. “I get between eight and ten calls a week about a role from recruiters,” says Mimecast DPO Marc French. “Come January [2018], those increased exponentially, because everyone realised ‘oh my god, GDPR is only five months away’.”

The average salary for a DPO is £27,000: however, in some sectors, the DPO commands a significantly higher rate of pay. DPOs in law firms take home an average of £52,000 a year, closely followed by IT and Internet businesses (£47,500), health and nursing (£37,000) and public sector (£32,000). Customer services DPOs are, on average, underpaid, taking home just under £19,000 per annum.

Why are DPOs such hot property?

In a nutshell: future-proofing.

By 2020, there will be over 40 zettabytes (that’s 37,252,902,984,619 gigabytes) of data in the world. The boom is driven by our increasingly digital lives, from smartphones to CCTV to internet usage, social media and, increasingly, the Internet of Things. More and more devices are becoming interconnected - 6.5 billion in 2016, a predicted 20 billion by the end of the decade - and their interactions produce a staggering amount of data.

Businesses will use this data as they do now, for personalising communications, targeting marketing efforts, and driving product or service innovation by tracking consumer demand. Data provides the raw material from which AI learns: the more data there is to process, the more the automated systems learn - eventually becoming capable of improving a company’s operations without human support. Efficiency, productivity and accuracy will continue to improve, driving down the costs of doing business by up to 30%.

All of that data will need to be harnessed, controlled and protected, and legislation is already becoming more widespread.

Facebook, Google, Instagram and WhatsApp received their first data protection complaints within hours of the General Data Protection Regulation coming into force, and Facebook has also received a £500,000 fine over the Cambridge Analytica scandal - the highest penalty permitted under pre-GDPR regulations.

Businesses outside the EU need to watch the horizon. In the wake of GDPR, the state of California - Silicon Valley’s back yard, and a kind of barometer for legal trends in the US as a whole - has passed tough data security laws, and similar legislation is emerging in South East Asia, where the Philippines have led the charge on data privacy since 2012.

DPOs already have to work at C-level, aligning with Chief Information Officers and Chief Marketing Officers to balance customer and compliance demands. The role demands cooperation and communication across the C-suite - data protection practice has to be agreed on by the leadership, and transmitted through the business as a whole.

Given that DPOs are answerable to outside regulators rather than the corporate hierarchy, it seems likely that they will rise to C-level sooner or later, maintaining the necessary independence and figurehead status, and operating at the appropriate business-wide level.

Becoming a DPO - certifications and pathways

Certifications for DPOs are currently in a state of flux. It is not currently necessary for a DPO to be certified, under the strict letter of GDPR - however, the ICO suggests working toward an approved certification, demonstrating your compliance to regulators and the public. Sam Pfiefle - content director of the IAPP, which introduced its GDPR Ready programme in 2017, aimed at DPOs - claims to have totally sold out of GDPR training places for the first half of 2018.

Larger companies often have someone on board to act as DPO already, nominating a member of the board to take on the responsibility. SMEs and growing businesses are often outsourcing … but as they mature they’ll employ someone full time. These businesses, who are currently in a growth stage and reaching the size where they hold a greater amount of personal data, are therefore the firms to watch out for if you’re looking to transition into a DPO role.

Until now, data protection has been customer-facing - providing the assurance that everyone’s up to date - and it’s been possible for non-specialists to learn on the job. With a tighter definition of ‘personal data’ and more demanding rights and responsibilities surrounding data processing, however, the new DPO role demands bedding in on technical skills. The DPO needs to be familiar with backups, servers, cloud storage, and CMS - and the nitty gritty of how they interact and what data is held where. The role is evolving into something more technical, and ambitious IT professionals will be well placed to ride the wave.