Rarely do U.S.-based businesses consider the implications of the 2018 General Data Protection Regulation (GDPR) that was implemented on May 25, 2018. Executives might feel that since they only operate physically within U.S. territories that this European Union (EU) law does not extend to their neck of the woods.
Although this assumption is true in many cases for U.S.-based businesses, there are a few digital exceptions that call for these businesses to operate under the specific requirements of GDPR. In these cases, businesses will need to appoint a Data Protection Officer (DPO) to oversee their data protection strategy and implementation while keeping the organization on the path towards GDPR compliance.
If this sounds like your organization’s area of need, follow along below and we’ll get you up to speed with our high-level overview of both GDPR requirements and DPO requirements and responsibilities.
The EU’s General Data Protection Regulations (GDPR) have been implemented for less than a year and they are already making waves amongst individuals and businesses around the world.
GDPR was implemented to give EU citizens more control over their personal data. Its primary focus is to simplify regulations so that businesses and customers can fully benefit from the global digital economy that we’re living in now.
These GDPR regulations call for businesses to protect customer data from being misused and exploited by hackers to keep from being hit by big penalties.
GDPR denotes the differences between the two types of data-handlers (processors and controllers) in Article 4 of the General Data Protection Regulation. Whereas a controller is “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, the processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller”.
The entity with the higher legal liability per GDPR is the processor as they have more control over customer data and personal data records than data processors do. Data controllers differ as they are tasked with making sure that all processors are in full compliance with GDPR.
The type of data that GDPR protects includes name, address, photos, IP addresses, as well as sensitive personal data such as genetic data and biometric data that could be used to uniquely identify an individual.
Although much of GDPR pertains to European nations, its regulations extend far beyond the borders of Europe for international organizations based outside the region, but operate on European soil (digitally). This means that even non-EU based companies that handle personal consumer data that resides in EU territories must follow GDPR requirements. Many companies that operate within the hospitality, travel, software services, and e-commerce industries need to take a closer look at their online marketing practices to ensure they’re not overstepping their boundaries with GDPR.
Overall, the one thing to remember about GDPR for those businesses that must adhere to it, is that consent must be “freely given, specific, informed, and unambiguous.” Even in cases where the customer has signed up to buy a product or service, the business must also send them information that details in very clear language what their company will be doing with their personal information.
Once the data is collected, the company must protect it per GDPR standards (which aren’t too different from PCI DSS, ISO 27001, or NIST). With recent talk of accelerated adoption of GDPR-type legislation on a global scale, it’s best to stay ahead of the future trends and adopt GDPR into your organization sooner rather than later.
Data Protection Officer (DPO)
If your organization is required to adhere to GDPR requirements or you want to get ahead of the impending global adoption of GDPR-like regulations, you need to appoint a Data Protection Officer (DPO).
In short, a DPO is responsible for overseeing data protection strategy and implementation in your organization to ensure that you follow GDPR requirements. The DPO must be an expert in data protection but most importantly must be an unbiased independent entity that reports to the highest management level.
Your DPO can either be an existing employee or externally appointed, but doesn’t need to strictly work for your organization as DPOs can work for many companies simultaneously.
GDPR places the importance of having a DPO to ensure that organizations are held accountable for their customer’s data protection needs. Both controllers and processors can appoint a DPO if they wish, even if they aren’t required to.
Those companies that are a public authority or body where their core activities require large scale, regular and systematic monitoring of individuals or special categories of data (such as data relating to criminal convictions and offences) must appoint a DPO. A DPO can help you operate within the law by advising and helping to monitor compliance, thereby playing a key role in your organization’s data protection governance structure.
A survey conducted by AIIM found that more than 70% of respondents had appointed a DPO in 2018 due to the implementation of GDPR, but the remainder either had not appointed one or weren’t aware that their organization even needed one.
If your organization establishes that it needs a DPO, you need to ensure that they can work independently to conduct privacy assessments without any distractions or conflict. Some organizations choose to simply expand on an internal employee’s job responsibilities to fulfill the role of DPO, but before they do so they must receive the appropriate training and GDPR education.
Taking the internal employee away from their duties for training and certification then adding on DPO duties to their plate can lead to them be spread relatively thin. For small organizations, this might be the only option available, but for larger organizations, it would be preferable to hire an external contract-service DPO service that maintains a deep understanding of GDPR, data privacy and processing.
These organizations should focus on finding someone who has a long history in cybersecurity, risk and privacy who is also experienced in audit and risk assessment practices.
DPO Knowledge and Culture Fit
DPOs need to be well versed in data protection law while also offering expert guidance to executives on IT programming, infrastructure, and audits. The foundation of the DPOs knowledge needs to be constantly evolving to keep up with the threat landscape of data protection is also constantly evolving.
This is to ensure that the DPO has the necessary understanding to sustainably protect the organization at every turn from potential breaches. To supplement their continuously evolving knowledge, the DPO must also be adept at communicating this knowledge effectively to the necessary parties without outside influence.
The DPO must also be skilled at conveying advice and recommendations to superiors even when faced with conflict over their decision to implement changes to the organization’s data protection system infrastructure. It is the for this reason that it would be best for the organization to find a DPO that is not just a wealth of knowledge, but also a company culture fit. The process of bringing together a DPO with the rest of your organization should be organic, not forced to ensure a sustainable, long-term relationship.
DPOs serve as the primary point of contact between the organization and any Supervisory Authorities (SAs) that oversee data-related activities. The main responsibilities of DPO are outlined in GDPR Article 39 and state that the DPO must:
- Educate the company and employees on important compliance requirements.
- Train staff involved in data processing.
- Conduct audits to ensure compliance and address potential issues proactively.
- Monitor performance and provide advice on the impact of data protection efforts.
- Maintain comprehensive records of all data processing activities conducted by the company.
- Interface with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information.
The organization that employs the DPO must ensure that they uphold their end of the bargain by providing the DPO with the positive environment they need to fulfill their job requirements. This includes, but is not limited to the organization ensuring that:
- The DPO is involved, closely and in a timely manner, in all data protection matters.
- The DPO operates independently and is not dismissed or penalized for performing their tasks.
- You provide adequate resources to enable the DPO to meet their GDPR obligations and to maintain their expert level of knowledge.
- You give the DPO appropriate access to personal data and processing activities.
- You give the DPO appropriate access to other services within your organization so that they can receive essential support, input or information.
- You seek the advice of your DPO when carrying out a DPIA.
- You record the details of your DPO as part of your records of processing activities.
GDPR also requires that the organization also publish the contact details of their DPO to the Information Commissioner’s Office (ICO). You aren’t required to include the name of the DPO when publishing their contact details but you can choose to provide this if you think it’s necessary or helpful. This is helpful to both consumers and the ICO as it holds both the organization and the DPO accountable for any data-related breaches. If a personal data breach does occur, then the organization would need to provide the full name of the DPO to the ICO and to ensure the individuals affected by it know who to contact about specifics and remediation efforts.
Whilst the Data Protection Officer is not a strict role, the DPOs responsibilities often include a variety of tasks. DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits.
Although the DPO isn’t personally liable for a company’s data protection compliance, they do play a critical role in helping the organization fulfil their GDPR obligations. The tasks and responsibilities that a DPO normally handles relates to:
- Informing and advising the organization and its employees on their current and forecasted GDPR obligations.
- Monitoring the organization’s GDPR compliance efforts as it pertains to their internal data protection policies and procedures. This includes monitoring the assignment of responsibilities, awareness training, and staff training sessions that pertain to processing operations and related audits.
If your organization handles personal information at a high level, then data protection is an incredibly important subject. With a shortage of individuals trained to handle the specific DPO responsibilities, outsourcing these tasks and duties can help your organization address the compliance demands of the GDPR while staying focused on your core business activities.
There is no denying that the long arm of GDPR extends far beyond the borders of the EU. It is for this reason that organizations need to be wary about their need to employ a DPO to coordinate their data protection processes and keep their consumer data away from the grasps of hackers.
Even if you aren’t currently required to adhere to GDPR, it still makes sense for the longevity of your organization to put a focused DPO in place of caring for the and safety of your customer data. The act of hiring a DPO shows the ICO and your customers that you’re committed to complying with GDPR.
If you haven’t started looking for a DPO, it’s best to understand the core requirements and responsibilities that the position entails before going through the process of filling the spot within your organization.
Your DPO should have the ability to take their evolving knowledge and understanding of IT data protection and communicate that effectively to top executives. Even in the face of disagreements with executives, the DPO must stand firm in conveying their advice and recommendations to decision makers even in the face of resistance.