I’ve been asking recently about how large banks, utilities and organisations engaged in processing EU personal data are going to deal with the behemoth of the GDPR in 2018 – the Data Protection Officer. The response: we’ll deal with it in 2018.
You may have CTO, CIO or IT Director after your name and a budget for privacy but will it comply with the new law? The answer in most cases is no. Until now, organisations have an individual wearing the privacy cap. They may be assigned functionally but usually report higher up to someone wearing a bigger cap. Most organisations will struggle with the independent (yes, independent) requirement the new GDPR places on this role within an organisation viewing it either as primarily within the security function or the legal function. Where it sits primarily isn’t the issue: access to the primary decision makers and an ability to perform the function without being sidestepped is.
Below, I’ve set out the key responsibilities of a DPO, a newly defined management role, under the new regulation:
- Advise the organisation and employees of their obligations under the Regulation and related regulatory requirements
- Monitor compliance with data protection and related laws including internal policies
- Provide advice on data protection and privacy impact assessments and the organisation is required to seek their advice when conducting any impact assessments
- Act as liaison with the Data Protection Commissioner (or appropriate supervisory body) and co-operate with them
- Act as contact for data subjects seeking access to their data or as part of a data breach response
Who needs one?
- You are a public authority or body, except the Courts acting in a judicial capacity
- Your core activities involve regular and systematic monitoring of data subjects on a large scale
- Your core activities involve large scale processing of data relating to sensitive personal data, including biometric or genetic data, or data relating to criminal convictions or criminal records
- Member state law requires a DPO to be appointed.
The above applies to all EU based organisations and those outside the EU engaged in any of the above regardless of where they are based.
The DPO packs a lot of punch. They must be independent of day to day management to the extent they cannot receive instruction from anyone in relation to the performance of their tasks and they cannot be dismissed or penalised for carrying out their functions as a DPO. So to speak, the “Heads of” or media and communications function will have to seriously wind their necks in.
Furthermore they must be provided with the required supports and resources to do the job and training to maintain their expert knowledge. Failure to ensure this independence or provide support is an offence under the Regulation.
They also report directly to the highest management level in an organisation and must be involved in a timely manner in all issues relating to the protection of personal data. That is, business strategy and objectives, system requirements and security, marketing, PR and communications strategy. Sidelining the DPO will incur serious penalties.
Digesting the above, it’s clear to see outsourcing or appointing a contract DPO may be an option for organisations that struggle to meet the above criteria because of existing reporting structures. The DPO’s independence is designed to step on toes where necessary to ensure the Regulation and related obligations are met.
A dedicated expert resource within the organisation skilled in the unpleasant role of unearthing the ticking time bombs which ultimately lead to cost savings. The accountability requirement means the DPO will document the organisations compliance and this will force privacy by design and default. It will also force many organisations to assess accurately the types of data they have, how much and how it is processed in order to establish if they’re required to have a DPO. There’s no harm in doing it anyway, as smaller organisations might be caught by the requirement also.
Failure to comply with the requirement of having a DPO that is performing their tasks independently and ensuring effective documentation of processes and controls will attract a penalty of €10 million or 2% of turnover.
There is already a shortage of expert qualified and experienced DPOs, particularly if you’re looking for a DPO with excellent information governance, risk management experience and appropriate technical and data protection law knowledge. Do not wait until a month before enforcement in May 2018 – act now.
About Elizabeth K. Dunne
Elizabeth is a lawyer and certified data protection practitioner with fourteen years experience in data protection, telecoms, financial services and regulatory compliance.
Elizabeth is based in Dublin, Ireland. www.dataofficer.ie