[caption id="attachment_11031" align="aligncenter" width="620"]
Shutterstock.com[/caption] In just over six weeks, companies processing European Union citizens' data will be subject to the General Data Protection Regulation — and that means they'll need a data protection officer. GDPR requires a number of organizations with EU operations to appoint a DPO, who will oversee company compliance with the new privacy rules. Major companies have job postings up for DPOs, including Facebook Inc., whose Dublin-based candidate should have at least ten years of data protection and privacy experience, experience engaging with European Data Protection Authorities and preferably advanced degrees. For Uber Technologies Inc, the DPO is an Amsterdam-based position that also requires at least a decade of experience and preferably a law degree. But many companies aren't sure what qualities or experience to look for in a successful DPO, according to Dana Simberkoff, the chief risk, privacy and information security officer at AvePoint, a software vendor and manufacturer. "You need to have someone who understands the difference between paper-based compliance and real compliance," she said. Simberkoff noted that many DPOs have a background working in legal departments, but the role can also go to compliance or security professionals with a more of a privacy background. Regardless of the department DPOs come from, she says, it may be easier for companies to hire from within. With little time left until GDPR's implementation date, an inside hire who already knows the business' privacy needs may get the company up to speed faster. Both Simberkoff and Seb Matthews, CEO of cloud service provider extaCloud and a defense and technology consultant, said that a company's DPO doesn't necessarily need to work solely within the legal department and answer to in-house lawyer bosses. The DPO will could have different reporting lines than others in the legal department, Simberkoff said, noting DPOs will be able to do their job best in a carved-out role that allows them to best advocate for data protection, even when their advice doesn't align with companies' financial interests. "Although empowered and autonomous, I would perhaps expect the DPO to be a direct report to the CLO or CPO (largely because corporations need articulable hierarchy to function!) but clearly not necessarily be accountable to them given the autonomous nature of the DPO role," Matthews wrote in an email. He noted that, while a legal background isn't a definite requirement for a DPO, it is important for companies to ensure legal resources, including counsel, are available to the officer. And the location question isn't just about which department, if any, the DPO will work in, it's also about where they should be placed geographically. Companies not based in the EU must decide whether DPOs will be based in an EU city, or closer to their main headquarters. Simberkoff noted the importance of DPOs' relationships with regulators may lead more to be based in the EU, but that their knowledge and involvement in the business is also important, and could draw DPOs to live and work near non-EU headquarters. That's a decision to be made on a company-by-company basis, she says. Jay Cline, PricewaterhouseCooper's U.S. privacy leader, said that it could be helpful to have DPOs live and work mainly in the country of the company's EU base — and that their relationship with local data protection authorities could be bolstered if they speak with country's language. In Matthews' opinion, DPOs should be as close to the location of the company's data collection as possible, wherever that may be. "In my view it is more appropriate that the DPO is close to the data, and by extension, close to the people gathering, processing and controlling the data," Matthews said in an email. "Ensuring compliance with the requirements of the GDPR is not a project, it is a continuum, and doing that from afar will likely be difficult."