The European Privacy Recruiter's Blog
It has been a hot-button issue for the Trilogue partners as they sit at the table with three different standpoints; the original text of the Commission, a fine-tuned version by the Parliament which supports the Commission view in the essence, and finally a rather flexible view from the Council leaving the topic up to the discretion of the Member States (and in a way makes me question the whole idea of this reform package: 1 continent, 1 law). Some of you may have seen the comparative table we prepared on this showing where parties divert from each other.
As the the whole point of the Trilogue is reaching a consensus between these EU institutions, we are expecting a good outcome on this topic which ultimately improves an organization’s approach to Privacy management but also nuanced (in terms of type data processed) and flexible enough so that it is embraced easier by business which have presence in Europe. It is all about balancing!
Latest news (end Nov) tells us that the Presidency of Luxembourg which recognized the Parliament’s firm position has published a document for the Council and suggested a compromise. According to this document, only public bodies, organizations which regularly and systematically tracks data subjects on a large scale and organizations which process large scale sensitive personal data would be obliged to appoint a DPO. It further suggests that organizations will have an extra 12-months’ time for these appointments, so it is looking to a 3 year frame in total for the implementation of this requirement.
As we count down for the final text; how do organizations get prepared for the new requirement on appointment of Data Protection Officers in Europe? Do they get prepared really?
Based on our privacy recruitment experience in Europe, we will split organizations into four big categories here in terms of approach.
Proactive - Organizations which started to look at their European Privacy team structures in the course of 2015 in order to have a feeling of the-day-after impacts.
Although they do not yet know whether it will be mandatory for them to hire a DPO in any European location, yet these proactive companies see this as a perfect moment of opportunity to assess their teams, capabilities of team members and workload. This exercise is not always done as part of the official corporate HR processes but by means of a ‘knowledge map’ prepared by the CPO, as simple as a spreadsheet of 'who is experienced with which privacy topics, in which jurisdiction, linguistic skills' and so on.
They have consulted their law firms and understood at least the baseline where EU institutions so far align. They informed the Board about potential impacts on the European organization of their business and they are checking grounds for additional headcount budgets. They talk to specialized staffing agencies in the market to hear the job/candidate market dynamics. These companies will enjoy a great head start when the GDPR is out because they have done some homework already!
Active – These organizations are also aware of potential DPO appointment requirement. CPOs have an idea about the additional amount of work which will land on their plate as of GDPR agreement but they will initiate their workforce analysis only after when it is out and carefully assessed by internal teams. They plan to do this sometime within the first half of 2016; to lay down the as-is / to-be headcount situation as per new tasks and make a strategic plan around how to find the ‘human resources’ their European privacy teams. They are already contacting specialized service providers for the recruitment of new members or training firms to help develop current members.
Alert – These organizations are aware about the new potential requirement but have not taken any sort of preparatory action yet. They rely on the 2-year transition period to analyse it thoroughly, make action plans and execute those plans. This will then include workforce planning, getting necessary headcount and budget approvals, discussing resourcing options with the HR, going out in the European candidate market and have the perfect team ready at their desks by end of 2017.
Need guidance – These organizations know that ‘something’ is coming but they either pretend it is not there, or they think it is for large companies only, or it will be delayed with some additional scrutiny, or they are simply wrongly informed about the EU decision making process. It may be a challenge for this group of organization to keep up with all the work within 2 years’ time.
So, which category does your organization belong to?
Perhaps also a few words on the importance of timing. Do not wait until the last minute to hire your new privacy team members. Organizations which plan to recruit new DPOs/Privacy Officers in Europe, whether as a result of the GDPR or not, are recommended to allow adequate time for the entire hiring process. Unless you opt to assign a privacy expert for a short-term/specific project, end-to-end recruitment process may take months. Here are the lead times you'd need as of the moment you conclude that you need a privacy officer until the person joins on board.
First box is affected largely by the complexity and the decision making mechanism of an organization.
Second box is affected by many factors. You will be looking for highly-specialized individuals who have the right experience and skills. New team members who are in privacy as a positive choice, who are ready to go for the extra mile with you and make it happen. And, you are not the only one! Global businesses are more and more looking to invest in their European privacy teams (GDPR-related or else) and they are looking at the same target group of job-seekers. In addition, your internal resources for a thorough candidate search may not be adequate. Therefore many organizations are seeking assistance of an privacy-specialized agency which can perfectly work in parallel with your direct efforts.
And finally the last box: time to start. European countries have strict labor laws and long notice periods. It is not unusual to wait for a good candidate for 2 months as of the offer signature.
Finding the right privacy person and in a timely fashion is a challenge but it can definitely be planned better!
Would you like to hear how we can help your current European privacy hiring?
CALL US at +32 (0)2 308 4286
or E-MAIL US to schedule a call