Breaches in the confidentiality of personal information gathered in the regular course of commercial or business activities have been in the news for many years with little to no compliance action until recently.
The implementation of the General Data Protection Regulation (GDPR) on May 4th, 2016 was put into motion on May 25th, 2018 and has since been an integral part in keeping personal and sensitive data safe from those who wish to use it maliciously.
GDPR has evolved through the first full year of application, making it much more difficult for many companies to stay compliant and stave off colossal fines within GDPR regulations (Google included).
Many American-based companies feel that since the original terms of GDPR were drawn up for the European data market that they do not apply to their company. Unfortunately, many organizations’ digital operations exist in a globally manufactured web of platforms that fall under the jurisdiction of this data protection regulation, GDPR.
A plethora of global companies are searching high and low for sustainable solutions, to realize that the key to data protection compliance has been baked into GDPR all along. That solution lies with a company’s Data Protection Officer (DPO). This article will serve as a high-level understanding of a DPO’s role as it pertains to a data protection officer GDPR requirements and responsibilities, how to hire a good DPO, and which organizations and legal entities are required to appoint a DPO.
What is a Data Protection Officer (DPO)?
Put simply, a GDPR Data Protection Officer (DPO) is an enterprise security leadership role that is required to exist within pertinent organizations per the GDPR.
DPOs are responsible for many things, but mainly are used for overseeing GDPR data protection strategy and implementation to ensure compliance with GDPR requirements. DPOs are a part of GDPR’s enhanced focus on accountability that can help organizations demonstrate improved, sustainable compliance efforts through compliance advisory services.
DPOs can be either an existing employee or externally appointed and can serve as DPO for several organizations simultaneously or just serve a single company.
DPOs are tasked with monitoring compliance with GDPR regulation and other data protection laws, as well as an organization’s internal data protection policies. They also play a key role in awareness-raising, training, and company-wide compliance audits.
The main criterion for DPOs is that they must be independent and experts in data protection. DPOs must also be privy to the highest level of resources while reporting to the highest management level (most likely the CEO, CIO, or both depending on the hierarchy of the company).
After meeting with a DPO, executives will take into account the DPOs expert knowledge, advice, guidance, and recommendations on GDPR compliance and use that information to implement specific functions and control to ensure proper enterprise systems safety and control.
Security Clearance and Collaboration
DPOs must also maintain a high level of organizational security and clearance that allows them to process operational data and take into account the nature, scope, context and purposes of what is to be processed.
Wherever the core activities of the company’s controller pertain to regular and systematic monitoring of data subjects on a large scale, the DPO must be in the loop.
DPOs also acts as a point of contact for the Information Commissioner’s Office (ICO) which allows the organization to collaborate and cooperate with the ICO in a more structured manner.
DPOs also serve an integral role in monitoring internal compliance. As such, they need to be easily accessible as a point of contact for all internal employees and external individuals including the ICO.
DPO Responsibilities and Requirements
As outlined in the GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following:
- Educating the company and employees on important compliance requirements;
- Conducting DPIA audits that proactively address potential data protection issues;
- Monitoring performance and providing advice on the impact of data protection efforts;
- Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request;
- Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to provide protection of personal data and information.
There aren’t any concrete requirements that pertain to the number of years a DPO has worked in the industry. In fact, the requirements are all very subjective and, thus left to the organization to select the DPO that they wish to represent them when speaking to the ICO.
Generally though, the DPO must at least have knowledge of:
- The different internal databases where personal data is held;
- The types of information stored in both internal and third-party systems;
- The different third-party systems where personal data is processed;
- How many data records, of each type, are stored in each system. Remembering that the number of data records are always subject to change;
- The data subject that each personal data record attached to.
Companies that wish to name an existing member of staff as the organization’s DPO they can do so as long as their current duties don’t conflict with their role as DPO. Some organizations wish to keep the role of DPO separate from the organization as a whole to ensure complete confidentiality. Other companies wish to share DPOs, but that may be too much to handle for some executives who feel that sharing DPOs may lead to far too much outside influence for them to stomach.
Does my company need a DPO?
Article 37 of GDPR specifies that hiring a DPO is mandatory for any organization that processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both.
Article 37 goes on to explain that large companies that employ more than 250 employees are required to appoint a DPO.
Now, that isn’t to say that companies with less than 250 employees are exempt, but their requirements are based on various factors such as:
- The amount of personal data that are processed
- Whether special category data are processed
- The nature of the business
Organizations of all sizes must ensure that if their company’s data processing is carried out by a public authority or body, a GDPR DPO must be appointed. If the controller’s core activities require regular, large scale, systematic monitoring of data subjects or if their core activities consist of processing special categories of data on a large scale, they must appoint a DPO.
Companies that fail to appoint a DPO, must provide evidence as to why their business does not need one to function under GDPR.
The National Privacy Commission (NPC) also requires that the DPO must qualify as a personal information controller (PIC) or personal information processor (PIP). If the company falls is in the public sector (i.e. government offices) the DPO should hold a career or appointive position. Alternately, if the DPO is a contractor,, the period of employment should at least be two years to ensure stability.
Hiring the Right DPO
One study carried out by the International Association of Privacy Professionals estimates that roughly 75,000 DPOs will be required worldwide to cater for the increase in demand for GDPR compliance.
Companies and organizations look to hire candidates for a DPO role need to hone in on their abilities to manage data protection and compliance internally while reporting non-compliance objectively to the proper Supervisory Authorities.
Ideally, a DPO should have excellent management skills on top of being able to easily converse with internal staff and outside authorities when needed.
The selected DPO must have a significant amount of data protection experience and must be well versed in GDPR. Understanding GDPR requirements is a must to ensure that required tasks can be performed efficiently and effectively.
The right DPO must be able to alert the authorities of non-compliance while being empathetic of the effects that the company would be subjected to for that non-compliance.
DPO Core Components
Some of the core components of a DPOs role is for them to be adept at tracking movements of individual data records and monitoring how data is processed at scale. This is a complicated, yet essential responsibility that DPOs must fulfill for the companies that they serve to maintain GDPR compliance.
Many organizations have struggled to find suitable candidates to serve as their DPO due to the scarcity of suitably experienced and knowledgeable applicants in the market currently. It is for this reason that many of these companies are focused on training existing employees or outsourcing to third-party providers to accomplish these tasks.
Challenges in Hiring DPOs
Many organizations that need a DPO, ultimately find themselves under a mountain of obligatory paperwork that needs to be put into processes and implemented immediately. Once a DPO is hired, these tasks get dumped on their desk all at once. As such, companies must learn how to pave the path towards success for DPOs in all facets of their daily activities to ensure they can fulfill their individual duties as they pertain to GDPR.
Data Protection Impact Assessments (DPIA)
Case in point, the IAPP released a study that found that 40% of organizations have done a minimum of six Data Protection Impact Assessments (DPIA) in a single year. The man-hours required to complete just one the impact assessments can vary significantly based on the size of an organization and many other factors, but all in all, they are tremendously overwhelming to complete.
DPIAs are challenging, but should not be made an impossible task for the DPO. The challenge in configuring a DPIA does not lie in dispersing and processing the data so much as in finding and consolidating the data when a DPO needs it.
Conducting a DPIA, the DPO will identify security gaps, unnecessary or extraneous personal data stores, as well as have a map of where personal data lives throughout the company’s databases. DPOs must have real-time insight into the data processing activities happening throughout the entire company so that they can properly execute DPIAs. Organizations need to consolidate their personal data effectively to ensure that the DPO doesn’t have to weed through a surplus of over-complicated spreadsheets to fulfill DPIAs.
The 100% Autonomous DPO
DPOs do require some level of autonomy to complete their complex tasks and configure processes and reports that ensure high level effectiveness.
What organizations forget though, is that the DPO should be considered a member of the core data protection team, rather than a separate supplemental entity.
The DPO certainly has to fulfill their obligation to be independent from the organization, but they should be given the same access and insight into matters of data privacy as those on core teams.
Roughly half of DPOs are under-resourced (let that sink in for a minute). These DPOs don’t have a dedicated privacy team and have many operational tasks on their table. This puts DPOs in a hole when it comes to accomplishing their tasks since they do not have the appropriate resources to tackle compliance tasks effectively.
Takeaways and Opportunities
Companies are always looking for opportunities for a DPO to come in and shake things up in their organization.
Unfortunately, that may not be possible if the company does not already have their data structured in a way that gives the DPO a real-time, bird’s eye view of their data processing activities. Giving DPOs this level of access, can help them quickly discover data anomalies and jump on opportunities to minimize personal data loss.
Developing a data inventory platform that is GDPR compliant is the most pertinent next step that companies should be on the lookout to develop. This essential tool allows DPOs to see data processing at a macro-level, thus giving them the ability to effectively monitor the progress of data subject requests and other micro-level data processing activities.
Technology is starting to catch up to the needs of businesses, but will always be one step behind hackers who are more than motivated to steal sensitive personal data in mass.
Another way for companies to optimize the efficiency of their DPO is to develop an automated data processing solution. Implementing such an innovative system keeps businesses from terrible fines that could possibly tank their reputation for good.
For more information on appointing a data protection officer and cybersecurity solutions, contact RSI Security.