With only a matter of months until the General Data Protection Regulation (GDPR) comes into force, Infosecurity has often found that there is still lots of uncertainty about achieving compliance. To help resolve this, data privacy offer and expert Steve Wright is joining us here to answer your questions.
Today, Steve was asked: “Hello, I am going to become the Data Protection Officer at my company and I wanted to know where you would suggest I go to take my first steps - courses etc. I am new to it all.“
Steve says:
“Article 37 and 38 talks about the principles and impartiality of the critical data protection officer role, or in other words, it specifies the high level rules on what can and can’t be done, but like most of the GDPR - it leaves wide open the interpretation of the ‘how and when it is appropriate to have a DPO.’
“Article 29 Working Party have provided much needed guidance on this subject, and we have been told which roles can’t hold DPO responsibilities (i.e. CEO, marketing director – as conflict of interest), but, it does not address the first question on every organizations lips ‘do I need to appoint an independent DPO in the first place and is yes, when?’
“The answer lies in the organization itself, or specifically, what data processing activities you undertake. If like many organizations you process large quantities of EU personal data (for example; a small US based web profiling firm that tracks IP addresses/ or web cookies for a French Utility website to provide customer website stickiness), or if you hold sensitive personal records (think medical history in a school where you have to maintain CRB checks, sickness and medical conditions).
“If the answer is yes, then your organization qualifies under GDPR rules and you therefore need to allocate someone with the DPO responsibilities (NOTE: The DPO does not necessarily have to be directly employed by the organization, just qualified to hold the role).
“Like the applicability of GDPR itself, it is also not dependent upon number of staff or size of turnover, which is why many of the UK’s 5.7 medium small to medium sized organization qualify for GDPR (55 million across the EU) and why, so many other organizations around the world, whom provide services into Europe are busy getting preparing themselves for GDPR compliance.
“This makes GDPR a truly global regulation and its implications are far reaching, for example, if as an EU citizen I wanted to exercise my ‘rights’ under GDPR with an organization based in Delhi, then I’m entitled to this right (assuming the my personal data is processed there), and the organization has to uphold my request.
“Depending upon the size of your organization and level of processing activities you undertake, you may choose to nominate an individual with responsibility or split the role among different roles, or even outsource the role externally. However, the only stipulation is that the DPO must be truly independent and understand the systems/processes that process personal data and/or deliver services to EU citizens and crucially - qualified or experienced in data protection, which is obvious, when you think about the unique nature of advice given and the difficulty in interpretation of the GDPR rule book, it also precludes the role being held by a lawyer, as important it is to understand the law, it is equally important to be able to implement the law within your organization.
“So, every DPO has rather a difficult job to do. They need to understand the implications of the law within your organization, uphold the rights of individuals and provide careful advice surrounding the implementation of the rules (get this wrong and you could end up in court, or face huge financial penalties). Of course, this is naturally dependent upon on how much data you are processing or perhaps the risks your systems face from its daily processing activities.
“In other words, if your systems/processing data is large, complicated and stretches back to the Doomsday book – you’ve allot of work to do. Conversely, if you process small amounts of EU personal data, then the impact of GDPR is nominal. The key to appointing your DPO is choosing an individual whom understands law, security and privacy risk. You need someone whom can determine the difference between a business decision and a true privacy/security risk (e.g. consent, rights or data encryption) and has the ability to make crucial judgements on what could be attract unwanted regulator attention or could costs the business in loss of trade or a missed opportunity - a tricky balancing act.
“The key to this role then not lies only in finding a knowledgeable, sensible (under pressure) and balanced individual, but also an individual that can understands the principles of privacy and security and can act with integrity on protecting the rights of an individual, and preferably can advise on protecting the personal data to avoid any harm to that individual.
“Above all, whether you outsource, co-source or hire a DPO (or contactor), my strong advice is you pick someone whom understand GDPR, risk, controls and has experience of implementing mechanisms that will allow your organization to make appropriate and proportionate risk assessments (think Privacy by Design) and realistic recommendations that will balance the cost of doing business (to comply) against the cost of growing the business.
“Good luck in your search, and take your time to find the right solution for your organization.”
If you have questions for Steve to answer on GDPR, email us or tweet @privacydj