Why 2020 was to be the year of the Data Protection Officer in Australia


By Milou Lammers

With Twitter having launched its  privacy centre at the tail end of last year, it’s a sign of the times that new and emerging regulations require a dedicated workforce to keep customer data safe and maintain compliance with key security and privacy regulations. With dedicated data privacy departments comes dedicated risk and compliance experts such as the Data Protection Officer.

We have seen an increase in DPOs in the EU, UK, and US in the wake of new data laws such as GDPR and the California Consumer Privacy Act (CCPA), but Australia is hot on their heels when it comes to data sovereignty. A study last year by TAS, a solution provider for Australia’s financial services sector predicted a sharp increase in the number of new dedicated security professionals. More than 60 per cent of executives in the survey were said to be seeking as many as five additional professionals in this area.

Since then, we’ve witnessed a global typhoon of global ransomware attacks and an increase in penalties related to GDPR.  At one point, this regulation alone was expected to produce more than 75,000 DPOs around the world. With Australia’s CSOs and CIOs currently doing the job of many, 2020 is set to be the year for change, and quite possibly the year of the DPO. Even though the role of the DPO hasn’t seen as much pick-up in Australia as the rest of the world, stricter regulations and cyber-attacks on a global scale will likely increase demand for this dedicated data security professional.

Even without mammoth regulations like GDPR in Australia. Regulations like CPS 234 in healthcare and Information Security Registered Assessors Program (IRAP) will require professionals who can manage multiple regulatory compliance.

In addition, any Australian company with global ambitions will have to be familiar and in compliance with US and European regulations like CCPA and GDPR. This means we are continually dealing with international data and are therefore beholden to global regulations during our time as data custodian. It would be a tall order to ask those currently in the role of CSO or CIO to add this work onto their already full plates.

As the security landscape becomes more global and complex, so too must the structure of executive teams to ensure their data and their customers’ data is protected.

Specialise to succeed

CSOs and CIOs have long been taking on data protection responsibilities on top of their own jobs, but data privacy and security is becoming an ever more consuming task and can no longer be seen as an ‘add-on’ duty. While it is true that there is some crossover between the role of the CSO and DPO, both have enough unique responsibilities to be defined in their own right.

The clear-cut boundaries within this grey area are that the CSO protects the organisation’s data, whereas the DPO protects the customer’s data and demonstrates compliance to the regulations that mandate that protection.

Think of the CSO as inward facing like a Governor General, and consider that the DPO has an outward focus, like your local council representative. Both are necessary for optimal performance, but the roles are almost completely separate in terms of output.

Because of this distinction, appointing a DPO will help not only protect but also facilitate efficient use of data and encourage better customer service, promoting organisational growth.

Failing to define the role of the DPO as a profession in its own right, and instead delegating the responsibility to busy executives, could lead to weakened data fortification. It makes sounder business sense that each executive focuses on their own remit, based on their prior training and knowledge, rather than asking them to juggle multiple responsibilities.

Create a tighter working relationship with DPO CISO

It has been almost two years since the EU implemented the GDPR. Not only was it a learning experience for Europeans and Britons, but it also acted as a warning to other nations set to undergo similar regulatory changes. The regulation requires many global businesses and organisations to employ the services of a DPO in order to be compliant. As global demand for DPO mounts, organisations without one can find themselves in a tight spot with auditors.

While demand in Australia hasn’t quite reached the level that we’re seeing in the US, EU, and UK, we know it’s coming, and it shouldn’t come as a surprise to the industry. In order to prepare for what is to come, we need to educate the next generation and up-skill our current workforce.

The role of CSO has risen to popularity over the last 10 years.  Now it’s hard to imagine a company without one. This time last year, the likes of Uber, Airbnb, Microsoft and Facebook were all advertising DPO roles, and where business leaders such as these go, others must follow.

We need to futureproof our company structures by paving the way for future DPOs. Expert mentoring and thorough training from existing experts on Australian IT and regulation will ensure we sail through any potential storms ahead and avoid both monetary and reputational damage associated with non-compliance.

Industries like tech, digital marketing, finance, healthcare and retail will be the first to overhaul their compliance structures internally, but eventually all companies will need a DPO to help keep customer data safe.

Milou Lammers is a Compliance Specialist at iland Cloud in Houston, Texas. She holds a Juris Doctor from the University of Richmond School of Law and a Bachelor of Arts from Middlebury College. She has prior work experience in legal and compliance advisory services related to data privacy, IT services, tax, financial risk, international corruption, general corporate compliance & ethics matters for companies in the U.S. and E.U.