New data rules are ushering in an entirely new job role.
There’s been an awful lot of ink spilled in recent months over next May’s General Data Protection Regulation (GDPR). Lots of hand-wringing and concern as businesses ready themselves for the legislation (which replaces the EU Data Protection Directive of 1995 and effectively rewrites the rules for collecting and managing consumer data) and steel themselves for one of the largest shake-ups to data privacy in a decade.
But we’ve yet to address comprehensively one of the more crucial mandates in the legislation: the creation of a new executive role, the Data Protection Officer (DPO), meant to enforce compliance and ensure broader corporate accountability.
What is expected of DPOs?
The GDPR enforces a strict definition of personal data: information that could be used, on its own or in conjunction with other data, to identify an individual.
The DPO’s responsibility is to ensure organisations adhere to this definition, especially organisations (say, public authorities or big multinationals) that regularly process and monitor data on a large scale.
In addition to this kind of oversight, DPOs are expected to be proficient in IT management, data security (including managing cyberattacks), and other critical business continuity issues; not unlike the Chief Privacy Officers and Chief Information Officers of today.
But the role departs from others in one crucial way: where other executives might be beholden to a corporate board of directors and accountable to their fellow business leaders, DPOs only answer to outside regulators.
They’re free agents, in essence, operating independently, regulating independently, protected against corporate sanction - all of which makes alignment at the C-level all the more important.
It’s on other executives, and on Chief Marketing Officers especially - as keepers of the brand, drivers of demand, and stewards of the larger customer experience - to work closely with the DPO to ensure corporate initiatives dovetail with compliance obligations.
This kind of collaboration isn’t just good business sense, given the fines companies will face for non-compliance under GDPR (reaching into the millions), it’s common sense. In this era especially as an investment in compliance is often an investment in the brand - something signalling to buyers that yours is a company worth taking seriously, worth purchasing from.
But what does a CMO-DPO partnership entail?
At a minimum, it will require enhanced cooperation and communication across the broader C-suite - the support and buy-in of all executives, regardless of the reporting structure in place.
CMOs and their fellow business partners will need to agree on shared practices for technology usage and management, especially where more contentious technologies are concerned; cookies, for instance (where they may need to agree to disagree).
They’ll also need to make transparency a habit, meeting regularly with the DPO to check planned programs or initiatives - a wide-reaching digital campaign, say - against the DPO’s own checklist.
CMOs in particular should make sure their own understanding of policy and process maps back to the DPO’s priorities. They should arrive at a consensus on how to drive and support innovation and revenue, and should make sure to include the DPO in the product development process, so that the DPO stays apprised and has a way to intervene or interject as needed; a check and balance.
Most importantly, CMOs should recognise (and be quick to capitalise on) the strategic brand advantages of the CMO-DPO partnership. What is the DPO, after all, if not another thought leader the CMO can harness?
Someone whose domain expertise and breadth of knowledge only solidifies the brand’s commitment to compliance and privacy, and assure buyers of a business’ good intent? Close collaboration between the CMO and DPO can well prove a big brand differentiator, not just a source of credibility, but its own kind of credential.
It is no different than the certifications - a GDPR certification, pan European GDPR acceptance - that organisations will require later on down the road.
David Fowler is head of digital compliance for Act-On.
Thanks for signing up to Minutehack alerts.
Brilliant editorials heading your way soon.
Okay, Thanks!