Under Article 37 of the General Data Protection Regulation (GDPR), all public authorities and bodies will be required to designate a Data Protection Officer (DPO). Private sector organisations that on a large scale as part of their core activities regularly and systematically monitor data subjects or process sensitive personal data will also have to appoint a DPO.
A DEFINITION OF DATA PROTECTION OFFICER
A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
WHAT COMPANIES NEEDS DATA PROTECTION OFFICERS?
Put forth by the European Parliament, the European Council, and the European Commission to strengthen and streamline data protection for European Union citizens, the GDPR calls for the mandatory appointment of a DPO for any organization that processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both. DPOs must be “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,’” like that which details race or ethnicity or religious beliefs.
DATA PROTECTION OFFICER RESPONSIBILITIES AND REQUIREMENTS
The GDPR became effective from May 25, 2018, the data protection officer becomes a mandatory role under Article 37 for all companies that collect or process EU citizens’ personal data. DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities (SAs) that oversee activities related to data.
As outlined in the GDPR Article 39, the DPO’s responsibilities include, but are not limited to, the following:
- Educating the company and employees on important compliance requirements
- Training staff involved in data processing
- Conducting audits to ensure compliance and address potential issues proactively
- Serving as the point of contact between the company and GDPR Supervisory Authorities
- Monitoring performance and providing advice on the impact of data protection efforts
- Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request
- Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information
QUALIFICATIONS FOR DATA PROTECTION OFFICERS
The GDPR does not include a specific list of DPO credentials, but Article 37 does require a data protection officer to have “expert knowledge of data protection law and practices.” The Regulation also specifies the DPO’s expertise should align with the organization’s data processing operations and the level of data protection required for the personal data processed by data controllers and data processors.
DPOs may be a controller or processor’s staff member and related organizations may utilize the same individual to oversee data protection collectively, as long as it’s possible for all data protection activities to be managed by the same individual and the DPO is easily accessible by anyone from any of the related organizations whenever needed. It is required that the DPO’s information is published publicly and provided to all regulatory oversight agencies.
BEST PRACTICES FOR HIRING A DPO
Because companies that handle data of EU citizens are subjected to GDPR even if they are not located in the EU, one study predicts that 28,000 DPOs will be needed for regulated organizations to achieve GDPR compliance when the law goes into effect in May 2018. Companies and organizations need to have their DPOs in place before the Regulation goes into effect, so it’s important to begin recruiting and hiring DPOs sooner rather than later in order to secure the most qualified professionals for the role, as they’re sure to be in high demand as the deadline looms.
To hire the right DPO, you’ll need to ensure they have expertise in data protection law and practices and a complete understanding of your IT infrastructure, technology, and technical and organizational structure. You may designate an existing employee as your DPO, or you may hire a DPO externally.
Companies and organizations should look for candidates that can manage data protection and compliance internally while reporting non-compliance to the proper Supervisory Authorities.
Ideally, a DPO should have excellent management skills and the ability to interface easily with internal staff at all levels as well as outside authorities. The right DPO must be able to ensure internal compliance and alert the authorities of non-compliance while understanding that the company may be subjected to hefty fines for non-compliance.
WHO IS SUBJECT TO GDPR COMPLIANCE?
The purpose of the GDPR is to impose a uniform data security law on all EU members, so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.
REQUIREMENTS OF GENERAL DATA PROTECTION REGULATION 2018
The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:
- Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
- Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
- Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify SAs of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected.
- Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
- Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
- Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs). Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
- Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
- Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
- Article79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
GDPR ENFORCEMENT AND PENALTIES FOR NON-COMPLIANCE
In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. SAs have more authority than in the previous legislation because the GDPR sets a standard across the EU for all companies that handle EU citizens’ personal data. SAs hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Data controllers and processors are subject to the SAs’ powers and penalties.
The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.