I was asked to contribute to an article on the new legal framework surrounding Data Protection Officers (DPO). I was pleased they took what I consider to be one of the critical contributions I offered, that “Privacy by Design” is a requirements management problem.
I am sorry in a way that the language is developing towards calling these positions, DPOs, I rather preferred that of Chief Privacy Officer. Having Chief in the title establishes the importance to the organisation and also is a sign post to the fact that this new breed of worker, will have to exercise professional judgement as do accountants and lawyers today.
I actually disagree with the interviewee who said that the DPO would not have the breadth of knowledge to protect … data. The role of the new hybrid is to do exactly that; they must understand what “adequate technical protection” means; the words of the law imply that the lawmakers are looking for professional judgement to be applied to decisions around DP compliance, just as only qualified accountants can take certain business decisions. The mandatory skills now include IT security knowledge as well as the law.
Beyond the role of the DPO, it’s a fact that traditionally privacy and confidentiality have played a low priority role in the development of applications software, Defences have often been delegated to infrastructure teams. Issues such as entitlements and segregation of duties require bespoke requirements management and applications & integration engineering. The slow adoption of DNSSEC and ‘https everywhere’ are indicators of the reticence of business solutions developers to adopt even standard infrastructure tools since they fetishise function and see privacy (n fact the full spectrum of IT security) as a non-functional requirement. This is why privacy-by-design is a requirements management issue.
This was originally published at Linkedin Pulse. Please comment there if you want.
Image Credit: @flickr CC 2009 Claus Rebler BY-SA