[BreachExchange] What Your Data Protection Officer Should Know About Privacy Requirements

[Audrey McNeil]

https://resources.infosecinstitute.com/what-your-data-protection-officer-should-know-about-privacy-requirements/

Data privacy suddenly got hot a few years ago when Edward Snowden made his
revelations about the NSA snooping on U.S. citizens’ data. Since then, data
privacy violations and misuse have become synonymous with major companies
such as Facebook, Google and Equifax. The word “privacy” is now well and
truly associated with the troubles surrounding online data.

Data privacy is about how the information that represents an individual
online or offline is used. Privacy is about choice and data management as
much as it is about the security of these data. As part of the push towards
a more privacy-respectful community, there have been a number of new or
updated laws and regulations on the world stage.  One such law has been the
EU’s General Data Protection Regulation (GDPR) which came into force on May
25, 2018.

This article will address the sorts of details of the GDPR that any
self-respecting Data Protection Officer (DPO) should know about.

Getting Personal: What Is Personal Data According to the GDPR?

The GDPR offers a definition of what constitutes personal data. This
definition states that personal data is anything that can be used to tie
the data to an individual: name, date of birth, address and so on. The GDPR
extends the definition by including behavioral data and data such as
religious and political leaning. Knowing what the term “personal data”
actually describes is fundamental to your DPO’s knowledge base and will
dictate how compliance with GDPR relates to your business.

GDPR categorizes personal data into two types:

Personal Data (Article 4)

This is the data most companies are used to dealing with. Data such as
name, address and location are typical, but personal data can also cover IP
address, genetic data, economic, cultural or physiological information.

Special Category: Sensitive Personal Data (Article 9)

This extended category includes data that pertains more to behavior but
that still can be used as an identifier for an individual. These data
include genetic and biometric, as well as lifestyle data such as religion,
racial or ethnic origin and trade union membership.

Collecting and Consenting: Personal Data Use Under GDPR

Consent is an area that has created confusion and headaches for many
companies. The whole area is prone to misunderstanding. But consent is a
pillar of the GDPR, so vital to get to grips with, especially if you are a
Data Protection Officer.

A DPO must understand exactly what the rules of consent are under GDPR, and
how these are used in a pertinent manner in your overall business
processes. If you collect and process personal data, you are under an
obligation to collect user consent. Article 4 (clause 11) sets out how you
take that consent and uses words such as “freely given, specific, informed
and unambiguous” “… clear affirmative action”. Without a clear
understanding of what consent is and how and when it should be used, a DPO
can’t do their job.

Assessing Privacy: What Part Does a DPO Play in a DPIA?

A Data Protection Impact Assessment (DPIA) is usually carried out under the
advisement of a DPO. It is a process of understanding, mapping and
documenting how you collect, process, store, delete and otherwise handle
personal data, and how this stacks up in relation to GDPR compliance.

The Fit: Where Does a DPO Fit Into the GDPR Equation?

A Data Protection Officer (DPO) is an individual either internal to an
organization or employed on a consultancy basis. A DPO can be described as
a data privacy professional and will have the experience and possibly
certification to prove it. The DPO advises the business on how to ensure
they are GDPR-compliant. The DPO needs to understand how the company
operates and what types and level of data processing is being carried out,
as well as the requirements of GDPR and data privacy in general.

The Mandated DPO

The GDPR mandates that an organization engages a DPO if they fall into one
or more of these categories:

Public authority or body
Process data on a large scale
Process “special category” data

The GDPR has the concept of data controllers and data processors — both are
required to use a DPO if they fall into any of the three categories above.
(Further details of what a data controller is can be found in our article,
“Does the GDPR Threaten the Development of Blockchain?”)

But though the GDPR may not mandate the use of a DPO for all organizations,
it strongly advises using one to interpret GDPR requirements.

DPOs for Companies Outside the EU

Companies outside of the EU will need a DPO if they offer goods or services
to a person, or monitor the behavior of a person, residing in the EU. The
conditions of the mandate are as above, but again, it is strongly advised
to use the services of a DPO to interpret the GDPR requirements with
respect to your own organization.

Size of Company and DPO

The requirement for a DPO is predicated on the activity of the company and
not the size — even smaller organizations, if they fall into the mandatory
categories, will need to use a DPO.

Location of a DPO

The GDPR strongly suggests the DPO be based in the EU but has provision for
DPOs to be located elsewhere if your organization can show it would be more
effective to do so.

Inside and Out: The DPO, Sensitive Personal Data, Company Types and Mapping

Each company has its own internal processes and ways of collecting and
using personal data. This means that the DPO needs to understand the
nuances of your business and how you operate. Only with that knowledge can
they make sure that they can map the GDPR requirements seamlessly to your
operative norms.

The DPO will be able to isolate instances where you are outside of GDPR
compliance and suggest ways of adjusting your procedures and actions to
meet compliance. A DPO will also be aware of some of the reduced
obligations that are on offer from the GDPR, e.g., reduced documentation
expectations for companies under 250 employees.

Because GDPR requirements have points of overlap with data security, e.g.,
suggested encryption of stored data, the DPO must be able to work closely
with your security team.

If you appoint a DPO from inside your organization, you need to ensure that
conflicts of interest cannot occur. The International Association of
Privacy Professionals (IAPP) carried out a survey into the appointment of
DPOs. They had a number of useful responses on the subject of conflict of
interest. Respondents stated that internal DPO appointments should be
“sole-role” or would be down to the individual’s own professionalism to
avoid such conflicts. The survey also identified that DPOs would be
expected to report directly to the highest level of an organization, thus
focusing the mind of the DPO. Notably, two-thirds of surveyed respondents
said they were likely to employ an internal person as their DPO.

Other Countries: Does a DPO Need to Know About Privacy Regulations in
Countries Outside the EU?

More countries are creating, updating or expanding existing data protection
laws to include privacy. For example, California has recently approved
their privacy regulation “California Consumer Privacy Act of 2018 (CCPA)”
which is being described as GDPR 2.0. Another example is the new Personal
Data Protection Bill, 2018, about to be introduced in India. Using the
services of a DPO can be highly valuable in ensuring you comply not just
with GDPR, but with the data protection regulations of other countries too.

Conclusion: Make Sure Your DPO Knows About Privacy

If you decide to engage the services of a DPO, either internally or
externally, you need to make sure that the person you take on has the
requisite skills. Your DPO will act as an advisor to your business on all
things GDPR and other data privacy issues. They should act as an
independent, even if employed as an internal staff member. They will also
act as a liaison and go-between, communicating with data subjects as well
as your allocated GDPR Supervisory Authority.

A good Data Protection Officer will understand all of the complex aspects
of data privacy. Your DPO will be able to keep your company abreast of any
changes in the data privacy landscape, including new regulations above and
beyond the GDPR. Ultimately, your DPO will be your go-to privacy expert,
adding great value to your organization as data privacy regulations
strengthen and consolidate across the world.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180928/7bca83d9/attachment.html>