[BreachExchange] Why Every Business Should Have a Data Protection Officer

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jul 17 18:55:16 EDT 2018


https://opendatascience.com/why-every-business-should-
have-a-data-protection-officer/

It’s been over a month since the tumultuous installment of GDPR. This marks
a sea change for data protection and privacy regulation worldwide. But in
contrast to the commotion during the lead-up, the first month of the GDPR
era has been mostly silent.

Brussels has yet to announce any violations or fines. In addition, we don’t
know if the EU’s data protection authority is actually actively
investigating complaints. EDPS, the EU’s independent data protection
authority, shared its last update on May 31.

Despite the quiet amongst political entities, all is not so along the data
protection front, particularly among the EU member states. Authorities have
reported significant upticks in data protection complaints. An increase in
reports of data breaches by companies processing EU citizen data (GDPR
requires such breaches to be reported within 72 hours) has also been cited.
CNIL, the French data protection authority, has reported a 50% rise in
complaints.

All the while, users with EU-based site accounts have been bombarded with
emails notifying them of updated privacy policies and consent confirmations
(although some have questioned whether or not businesses are actually doing
anything). Some online vendors have taken it to the extreme by continuing
to bar EU IP addresses completely from online signups and purchases in
order to reach compliance.

In order to maintain compliance and ensure the welfare of digital users,
businesses now look quite often to the role of the digital protection
officer.

What is a Data Protection Officer (DPO)?

One of the most significant requirements of GDPR is that certain
organizations must appoint a ‘data protection officer’ to oversee
compliance with the regulation. Formally, the role dates back at least to
2001, when German lawbegan requiring companies with more than 9 people to
appoint a DPO if the organization works with personal data. Under such
previous laws, the DPO serves as a referee for data protection issues. The
DPO is charged with balancing the interests of an organization’s leaders,
employees, shareholders, and data subjects.

GDPR extends the DPO requirement to companies of all sizes whose “core
activities” involve processing personal data of EU citizens. New DPOs will
be tasked with monitoring compliance with GDPR through data audits,
trainings, and general awareness-spreading throughout their organizations.
They’re also the first point of contact for data protection authorities, as
well as data subjects with questions or complaints about how personal data
is handled.

Does your organization need a DPO?

Article 37 of the GDPR stipulates that organizations must appoint a data
protection officer if any of the following conditions are met:

1. The organization is a public authority or body that processes EU data
(with the exception of courts acting in a judicial capacity).
2. The “core activities” of the organization involve regular and systematic
monitoring of data subjects on a large scale.
3. The “core activities” of the organization involve processing data
relating to criminal convictions.

Many will consider “core activities,” “large scale,” and “regular and
systematic monitoring” subject to interpretation. The UK’s Information
Commissioner’s Office offers some helpful advice in this regard:

- “Core activities” are the primary business activities of an organization.
If working with personal data is necessary to achieve a key business
objective, then it’s a core activity.
- “Regular and systematic” monitoring of data subjects includes all forms
of tracking and profiling, both online and offline. Behavioral advertising
falls under this category.
- When determining if processing is on a “large scale,” the number of
subjects, volume and range of information, and duration or permanence of
the processing activity all ought to be taken into account.

For example, if your organization’s marketing department regularly uses
algorithms to monitor and analyze the behavior of users or customers, that
would almost certainly meet the criteria for requiring a DPO.

Why a DPO is a good idea, even if you don’t need one

At first, the DPO requirement may seem totally unrealistic for many
organizations. Few SMEs can afford to spend significant amounts of time
ensuring compliance with new data protection legislation, let alone hiring
a data protection expert to scrutinize their day-to-day operations.

The good news is that appointing a DPO isn’t as costly as it might seem.
For one, companies can appoint an existing employee to the role. GDPR
doesn’t require DPOs to have any specific education or training. The
statute requires only that a potential DPO have suitable “professional
qualities” and some knowledge of data protection law and practices. In this
vein, EDPS offers resources for the fledgling DPO, including a brief
powerpoint that helps them get started.

Indeed, some quick LinkedIn searching over the recently announced list of
EU agency DPOs reveals that many lack any specialized training in data
protection. For smaller organizations in particular, a DPO with some
general background in law seems to suffice. For them, cybersecurity
organizations like the Security & Continuity Institute (SECO) in Amsterdam
offer training programs and certification exams. In other cases,
organizations can appoint an external DPO without hiring them on as a
full-time employee. Companies like the DPO Network have been offering
recruitment services for both internal and external data protection and
privacy experts, including DPOs.

Even for organizations that don’t ostensibly need a data protection
officer, it’s still a good idea to have one. At this early stage, it’s hard
to know how widely-encompassing GDPR enforcement will become, as well as
how terms like ‘large scale’ and ‘core activities’ may be interpreted. And
even if an organization believes itself fully compliant with the regulation
now, a change of strategy in a marketing department or an engineering team
could misalign ‘core activities’ with the regulation.

Appointing a DPO can be a cost-effective way of preempting complaints, as
well as identifying places where compliance may be compromised, now and in
the future. Perhaps even more important, most experts agree that for the
foreseeable future GDPR enforcers will scrutinize companies for good-faith
efforts to reach and maintain compliance. Voluntarily appointing an officer
to serve as a point of contact with regulators and data subjects is a great
way to show such an effort.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180717/1e7fd4f8/attachment.html>


More information about the BreachExchange mailing list