Recognizing the Privacy Officer on Data Privacy Day
Today, Jan. 28, is Data Privacy Day around the world. As the name suggests, it’s a day to promote good privacy practices and education at home and in the workplace, and to recognize the work being done to protect your data in all aspects of life. The first Data Privacy Day, or Data Protection Day as it is known in Europe, was held on this day in 1981, coinciding with the signing of the first international treaty on data privacy.
Data Privacy Day in 2019 is celebrated in a world where privacy laws are more plentiful and more powerful than ever; we only need to look back to this past May to remember the enforcement of the GDPR (General Data Protection Regulation), arguably the most wide-reaching privacy law yet. See my ‘GDPR: The First Six Months‘ blog for some background.
As we promote good privacy practices, I think today is also a good opportunity to recognize the work of the person in an organization who most directly handles data privacy – the privacy officer. Many people are unfamiliar or even unaware of what exactly a privacy officer is or does. I’m sure most people are familiar with positions such as CEO (Chief Executive Officer) or CFO (Chief Financial Officer), but they may be less familiar with a privacy officer. So, let’s break down what a privacy officer is tasked with doing, and define which kinds of organizations should have one (spoiler alert: pretty much any business, depending on where you live!).
What does a Privacy Officer do?
In essence, the privacy officer is the person who oversees the privacy practices of an organization, and is the point-person for any data privacy related inquiries or requests. Often, they help develop and maintain an organization’s privacy practices, and are tasked with ensuring employees and staff are well educated and aware of the practices they must follow. The privacy officer is the person another employee can ask when they have a question about a privacy-related matter. They also work with upper management to help shape policies, and provide input on company decisions that intersect with data privacy. Therefore, the privacy officer needs an extensive knowledge of privacy legislation in their area – PIPEDA (the Personal Information Protection and Electronic Documents Act) in Canada, the GDPR in the European Union, etc. A good privacy officer should also have some background in IT, and have an understanding of digital equipment and processes, as these are the main ways organizations today store and process their data.
The position of privacy officer is very much one of collaboration. They work with their IT department on technology issues, with upper management to develop and plan policies and procedures, and with all employees and staff to ensure privacy policies are met, and questions are answered. Often, privacy officers even interact with clients when a privacy question is raised.
Who needs a Privacy Officer?
The next question then becomes, which kind of businesses and organizations need a privacy officer? The easy answer is, everyone should have one as a good practice. No matter the size of your company, you can benefit from having someone tasked with being mindful of privacy practices, and having knowledge of data privacy laws to keep your company compliant. That being said, not every company might need a full-time person working 100 per cent on data privacy. In fact, smaller companies can easily assign the privacy officer duties to an existing employee. It’s more important to have someone take on the duties of the privacy officer, whether they are full-time or not. It really depends on your situation. The more data processing you do, the more time a privacy officer will need to devote to maintaining that system. If your company only handles a small amount of data, the extent of the privacy duties could be easily combined with someone’s existing position.
Having a privacy officer is a good idea, and this is reinforced in many of the pieces of privacy legislation active now. PIPEDA is Canada’s privacy legislation, and it requires every organization to “designate an individual who is accountable for its compliance with the Act.” In other words, if you are a Canadian business, you need to have a privacy officer (or an individual who carries the duties of the privacy officer as part of their job). The European Union’s GDPR is similar in that it requires any European company (or company that handles the data of European citizens) to appoint a data protection officer when they are a public authority, or do regular data processing. Both of these pieces of legislation are underscoring the fact that having a privacy officer is an important component of properly protecting data.
Luke Henderson is privacy officer at Velsoft Training Materials.