[BreachExchange] The Role of a Data Protection Officer under GDPR

[Audrey McNeil]

https://www.jdsupra.com/legalnews/the-role-of-a-data-
protection-officer-13241/

In the most recent episode of Countdown to GDRP, Jonathan Armstrong, a
partner at Cordery Compliance in London and myself considered the role of
the Data Protection Officer (DPO) in complying with the new regulations
which go live on May 25, 2018. You can check out the full conversation here.

The Cordery Compliance FAQs note that DPO must be appointed to deal with
data protection compliance where:

 - The core activities of the data controller or the processor consist of
processing operations which, by virtue of their nature, scope and/or
purposes, require regular and systematic monitoring of data subjects on a
large scale; or,
 - The core activities of the data controller or the processor consist of
processing on a large scale of special categories of personal data, namely
those revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade-union membership, and, the processing of
genetic and biometric data in order to uniquely identify a person, or data
concerning health or sex life and sexual orientation (which can only be
processed under certain strict conditions such as where consent has been
given), or, data relating to criminal convictions and offences.

The DPO must be suitably qualified and is mandated with a number of tasks,
including advising on data- processing, and, must be independent in the
performance of their tasks – they will report directly to the highest level
of management. Businesses will therefore have to determine whether a DPO
must be appointed or not, but, given the significance of privacy compliance
today, even if technically-speaking a DPO is not required to be appointed,
a business of a particular size that regularly processes data may wish to
consider appointing one in any event.

Compliance practitioners will note the similarities with the series of
requirements by US Department of Justice (DOJ) for the professionalism,
authority, corporate standing and resources made available to a Chief
Compliance Officer (CCO). Armstrong this professional requirement has
existed in several EU countries such as Germany, Hungary and Austria. While
you are not required to have a law degree, it certainly would assist any
DPO in interpreting GDPR and any commentary on it from EU member countries.
Armstrong also noted that some countries such as Ireland, have come out
with specific guidance on the qualifications of a DPO which are “worth a
read.” However if the DPO is someone more usually seen as a CCO, there will
need to be some technical competence or skills made available to them.

The steps that a DPO should take at this point will also be somewhat
familiar to a compliance professional. It all starts with a company
assessing its data privacy and data protection risks under GDPR and then
move to manage those risks. Not every risk can be covered at this point in
time so any DPO must come up with a remediation plan and work towards
managing those risks. Armstrong emphasized that GDPR belongs to the
business and this means the business unit folks should be a part of this
remediation. Obviously, the business folks are going to understand the
business implications more than a DPO so they should be consulted.

Armstrong believes one of the key focal points for any DPO will be in data
protection related activity. In addition to the technical requirements for
data protection there is the need to train employees what to happen if
there is a data breech. There now a 72-hour window for reporting data
breeches and employees need to be trained to report such breeches up the
line, immediately upon discover so training led by or approved by the DPO
is critical at this point.

Senior management should certainly be consulted but there may need to be an
educational component as well to discuss potential issues which might turn
into violations. There are specific data regulation protocols under GDPR
which should be considered. Certainly in the United States the new rights
created under GDPR: the Right to be Forgotten, “which is the right to have
personal data erased “without undue delay”, based on certain grounds, for
example where data is no longer necessary in relation to the purposes for
which they were collected or otherwise processed”; the Right to
Portability, “which is an individual’s “right to receive the personal data
concerning him or her, which he or she has provided to a controller, in a
structured, commonly used and machine- readable format and have the right
to transmit those data to another controller without hindrance from the
controller to which the personal data have been provided”;  and the Right
Not to be Profiled, which is “defined as “any form of automated processing
of personal data consisting of the use of personal data to evaluate certain
personal aspects relating to a person, in particular to analyse or aspects
concerning a person’s performance at work, economic situation, health,
personal preferences, interests, reliability, behaviour, location or
movements.”

Finally another key right is the “Subject Access Request” (SAR); [which
will no doubt sow confusion with US SAR’s (Suspicious Activity Reports).
Under GDPR, SARs a company must have a process which have “a process
whereby someone can exercise their right to gain access to data held on
them, must be answered within one month of receipt of the request, but
which may be extended for a maximum of two further months when necessary
taking into account the complexity of the request and the number of
requests. It must also be highlighted that under the new rules the ability
for a business has to ask for a fee for an SAR has been abolished.”

The role of the DPO is critical in complying with GDPR. The time to start
is now. For more information, visit the Cordery GDPR Navigator, which
provides a wealth of information to utilize in your data privacy compliance
program.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180302/e2ee1951/attachment.html>