Data Science and the DPO

Original

https://towardsdatascience.com/data-science-and-the-dpo-f8bfb31c75b1

The EU’s General Data Protection Regulation defines personal data Why is hiring a Data Protection Officer who ignores Data Science like buying an armored car to drive around in circles?

If data is the fuel of the digital economy, Europe’s new General Guidelines on Data Protection provides a legal roadmap of what we can now do with the personal data of European citizens. Critical to this new legislation for all organizations that process personal and sensitive data will be the obligation to hire a Data Protection Officer (DPO). Employers beware, for hiring a DPO based only on their knowledge of the law won’t get you any closer to reaching your strategic objectives. Let’s look at the obligations, qualifications, and responsibilities of your future DPO before focusing on their need to understand the nature and the goals of Data Science.

The designation of a Data Protection Officer, before the General Data Protection legislation goes into effect on May 25h, 2018, is a mandatory requirement for private companies and private organizations. This new European legislation requires the appointment of a DPO for any company that processes or stores significant amounts of data on their European employees or customers wherever their place of operations. DPOs must be also appointed in organizations that regularly capture, store, or transform the data of European citizens regardless of their base of operations. Any non-military agency that regularly and systematically monitors personal data, as well as processes sensitive data (health, race, ethnicity, religion etc.) is also required to comply with the legislation. Given the scope of these requirements, it is of little wonder that a recent study concluded that 28 000 DPO’s will be hired in the coming months alone.

The Data Protection Officer will assume a wide range of organizational responsibilities in front of consumers, employers, and stakeholders. The DPO will ensure the compliance of organizational data processes with GDPR. They will be asked to establish comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities. They will also conduct audits to ensure compliance and address potential issues proactively. The DPO becomes the single point of contact for employees and customers who wish to have informed them about how their data is being used, and what measures the company has put in place to protect personal information. Finally, the DPO serves as the point of reference between the company and the National Data Protection Authorities (NPA).

Despite such broad responsibilities, The European regulators offer little specific guidance on what qualifications a DPO candidate must bring to the table. Article 37 requires a data protection officer to have “expert knowledge of data protection law and practices.” Beyond that, the regulations suggest that the candidate should have a thorough understanding of an organization’s IT infrastructure and technology. The DPO must remain an independent council within the organization without direct responsibility for decisions concerning how data is processed. Public and private organizations may share the services of a DPO, but they are not allowed to hire a DPO on a short or fixed term contract.

Despite such broad responsibilities, The European regulators offer little specific guidance on what qualifications a DPO candidate must bring to the table. Article 37 requires a data protection officer to have “expert knowledge of data protection law and practices.” Beyond that, the regulations suggest that the candidate should have a thorough understanding of an organization’s IT infrastructure and technology. The DPO must remain an independent council within the organization without direct responsibility for decisions concerning how data is processed. Public and private organizations may share the services of a DPO, but they are not allowed to hire a DPO on a short or fixed term contract.

Hiring a DPO with little knowledge of Data Science is likely to as ineffective and it is counter-productive. The DPO must understand why and not just how the organization is collecting personal and sensitive data. Technically personal and sensitive data doesn’t need to be stored in the organization all, for as long as the Data Science team has access to a unique referential they can reconstitute on demand the needed records from a variety of external data sources. He or she should never-the-less appreciate that Data Scientists are less interested in hoarding personal and sensitive data than in exploring how the relationships between individuals (or technologies) influence collective beliefs, or, motivations, and actions. The DPO should be a part of the Data Science team: for the legal requirements of GDPR aren’t constraints that limit its use of Data Science, but considerations that can guide its application in your business.

The DPO needs to look beyond the function’s responsibilities and obligations, to explore the larger picture of why the organization is collecting data at all. The success of any organization today depends on its ability to leverage data not only in understanding the past performance of the organization, but in predicting and influencing future maker trends. This developing data processes that promote analytics at every level of the organization: scanning the market context to understand the nature of their business challenges, qualifying the data at hand, identifying the right methodology to address the problem, and transforming the data into a call for action. DPO’s need to believe and evangelize the vision that data isn’t just an organizational by-product that needs to be monitored and controlled, but a transformational force that

will help define how the organization will look at its market, its resources, and its bases of competitive advance for the foreseeable future.

Lee Schlenker is a Professor at ESC Pau, and a Principal in the Business Analytics Institute http://baieurope.com. His LinkedIn profile can be viewed at www.linkedin.com/in/leeschlenker. You can him on Twitter at https://twitter.com/DSign4Analytics.