General Data Protection Regulation, a new set of privacy regulations designed to protect the data privacy rights of European residents, has companies scrambling to meet the May 25 deadline. With companies hosting a complex web of data systems used for a variety of business purposes, GDPR stands to disrupt how they collect and manage data, limiting how they use customer data for new services. But help may be on the way in the form of a new(ish) management position designed for knotty data challenges: the data protection officer. But first your company has to find one.

Corporations have had two years to prepare for GDPR, but a recent study casts doubt on the extent of those efforts. Ninety-four percent of U.S.-based chief information officers say their company “possesses or processes any personal data of customers based within Europe,” according to a Compuware report. But only 58 percent claim their firm has a “detailed and far reaching plan” to comply with GDPR. Among firms with more than 5,000 employees, 30 percent have a thorough plan.

Most GDPR headlines address fines incurred for data breaches and other penalties which can scale to 20 million euros (about $25 million), or four percent of a company’s global revenues, whichever is higher. Lurking deeper in the 88-page law is a less publicized talent codicil mandating commercial enterprises add another executive post to management ranks, if these “specific issues” apply to a firm’s European operations: “the core activities of the controller (a company) or the processor (third party contractor) consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.”

Translation: If European operations are vital to your company, and your firm has a database, in either electronic or paper format, of personally identifiable information on more than 5,000 European residents, GDPR stipulates your firm must hire a “data protection officer” by May 25th, or risk fines of 10 million euros, or two percent of global revenues, whichever is higher.

Recruiting a data protection officer will not be easy. The International Association of Privacy Professionals reports worldwide demand for 75,000 data protection officers, but few companies seem to be in hiring mode. Indeed.com claims only 9.7 job postings for a data protection officer for every million postings in the firm's global database of 20 million jobs.

Data from Burning Glass Technologies concurs: the words “data protection” or “data officer” appear in the job titles of 999 postings across its worldwide database. Demand for data protection officers seems to be outweighing supply. Get ready to write big checks.

Career paths leading to a data protection officer position are not discernible. A review of 20 data protection officer profiles on LinkedIn found 35 percent came from IT, 30 percent were lawyers, 20 percent were security professionals and 10 percent had compliance backgrounds.

GDPR regulations make DPO recruitment even more difficult. This mash up of roles and responsibilities for the position, lifted directly from GDPR, creates the quintessential “purple squirrel” job:

“The data protection officer will be involved in all issues that relate to data protection at the firm. This position will report directly to the highest management level at the company. The successful applicant will work in secrecy and cannot receive instructions on how to do their job. Expertise in European and other national protection law is required. The level of job expertise is not strictly defined but is commensurate with the sensitivity, complexity and amount of data processed at the company. The role acts autonomously and cannot be dismissed for performance of duties. The successful candidate can be assured of adequate financial resources to perform their tasks, must set aside time for continuous professional development and have necessary access to all HR, legal, IT and security services at the company.”

GDPR gives enterprises the option to source the role to third parties like consultancies or cloud providers. Robert Coleman, chief technology officer for CA Technologies in the U.K., says that is not a viable strategy, particularly for large firms, because “customer data is such a valuable corporate currency.” To protect all that privacy data, Terry Ray, chief technology officer at Imperva, a security firm, states “artificial intelligence technology is the only way a data protection officer can manage the massive overload of data inherent in GDPR compliance. AI will define what a DPO will, or will not, achieve”.

T.S. Eliot once said most of the evil in this world is done by people with good intentions. Data privacy is certainly a good intention. GDPR mandates may, however, create unintended consequences. Accenture writes that regional regulations like GDPR pose a “threat to global growth and innovation. Digital globalization, powered by the free flow of data, is giving way to digital fragmentation which is disrupting the global business environment.” Seventy-four percent of CIOs and CTOs surveyed by Accenture predict they “expect to exit a geographic market, delay market entry plans or abandon market entry plans as a result of increased barriers to globalization.”

But face it, GDPR is here to stay. Todd Wright, senior product marketing manager at SAS, says European Union regulators will zealously enforce this new law “because they believe data privacy is a basic human right; infractions will be taken very seriously.”

Chief information officers should also take GDPR seriously. Furthermore, they are the most logical C-suite executive to lead the search team for a data protection officer. Or, perhaps apply for the position themselves! But hurry. DPO-Day for the C-suite on May 25th is less than two months away.

Gary J. Beach is former publisher of CIO Magazine and author of “The U.S.Technology Skills Gap.” Reach him at garybeachcio@gmail.com or follow him on Twitter @gbeachcio.

CORRECTION: Indeed.com claims 9.7 job postings for a data protection officer for every million postings in the firm's global database of 20 million jobs. An earlier version of this story said Indeed.com claimed 1,940 data protection officer jobs in a database of 200 million jobs.