May 25, 2018 will be the start of a new era of personal data rights. That’s the date when arguably the broadest and most stringent regulation in the last 15 years takes effect: the European Union’s General Data Protection Regulation (GDPR).

GDPR requires companies to appoint a data protection officer (DPO) in certain situations as the executive responsible for compliance with the regulation. You need a DPO if your organization processes or stores large amounts of personal data that belongs to European EU citizens. A DPO is also mandated for public organizations.

If you’re a tech leader in a U.S. company, you may be thinking, “Does this apply to me?” That’s the wrong question to ask. The question you should ask yourself is, “Do I have customers who care about the privacy of their data?”

As a CEO in this new era, one of my essential responsibilities is assuring my customers that their data is safe. That doesn’t just involve putting in place the proper cybersecurity controls, it’s also about establishing the proper business rules and policies — such as rapid breach notification and response to customer requests to delete personal data — that allow customers to have confidence that their data is treated with the appropriate care. From this broader perspective, putting a DPO in place is not only about regulatory compliance — it’s about competitive advantage.

If you haven’t started looking for a DPO, it’s time to understand the responsibilities of the position and how to fill it. Having spent a significant amount of time and attention on this myself, here’s what you need to know as a tech leader about the DPO mandate and the ideal characteristics of highly effective DPOs.

The Role Of The DPO

The GDPR describes the data protection officer as a security leader who is specifically focused on developing and maintaining policies that allow organizations to remain compliant with the regulation.

Article 37 of the GDPR outlines the stipulations for organizations required to appoint a DPO. In essence, any company that regularly processes personal data on a large scale needs to designate a DPO. These include companies that provide software-as-a-service (SaaS) offerings, social media platforms, educational institutions, health care services, data mining platforms, digital advertising and marketing services and more. The bottom line is that if you hold a large amount of personal data of EU residents, you need to consider your risk exposure.