Countdown to GDPR #3: Do You Need a Data Protection Officer?

To prepare for the upcoming GDPR we’re doing a series of blogs about key regulations and ways to be compliant with them. In Part 1 we discussed the Right to Be Forgotten and in Part 2 we spoke about Privacy by Design and by Default.

In this blog we analyze the emerging role of the Data Protection Officer. Is it all hype or a must-have?

Prepare for the GDPR

The Article Explained

The GDPR explicitly calls out the role of the Data Protection Officer — a security leadership role responsible for managing the planning and implementation of data protection policies to ensure compliance with GDPR.

Article 37 of the GDPR, Designation of the data protection officer, states that

The controller and the processor shall designate a data protection officer in any case where:

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10.

How do I Achieve Compliance?

You need a DPO if your organization processes or stores large amounts of personal data of EU citizens (for employees, individuals outside the organization, or both). A DPO is also mandated for public organizations.

Pointers to remember when hiring a DPO:

Qualifications of a DPO: Per the GDPR, a DPO needs to have “expert knowledge of data protection law and practices,” but does not have to be an actual attorney. The DPO should also have detailed understanding of the workings of your IT infrastructure, HR processes and team organization. A DPO needs sound management and communication skills to train and interface with internal staff, including your board.

Responsibilities of a DPO: Article 39 is devoted to the tasks of a DPO. These include:

  1. Ensuring management and staff of the organization and third-party vendors who handle data, are aware of the regulations of GDPR and how it impacts their processes.
  2. Monitoring compliance with GDPR regulations both by the organization and by external data processors.
  3. Providing training to the organization and vendors.
  4. Overseeing data protection impact assessments.
  5. Being the point of contact for supervisory authorities on matters regarding data protection.

Internal or External: A DPO can be internal or external (contractor), but needs to be unbiased enough to assist external auditors and alert them in cases of breaches/non-compliance. Article 38 protects the DPO from being penalized due to “performing their tasks”.  Working Party 29 (WP29) has also clarified that “the DPO cannot hold a position within the organisation that leads them to determine the purposes and means of the processing.”

Alternative Qualifications:  DPOs may benefit from having a broad background.  Cybersecurity is one area that could positively influence the way a DPO views situations that affect data privacy internally and help the inevitable customer questions surrounding the security posture of the company as it relates to data subject personally identifiable information.  Many companies may struggle to find the right person for the DPO position; especially SMBs.  It might make sense to recruit a candidate that has a broad skill set and experience in cybersecurity, IT management, or IT/compliance and audit as a baseline and invest in formal training/certification to bolster the role while maintaining a high-level management view of data-privacy compliance, strategy and vision for the company.

Lastly, the necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”

What are your concerns about the GDPR? Tweet me @scarabeetle using #CountdowntoGDPR, or add a comment below.

For more information, listen to my discussion on GDPR on The Hot Aisle #73 podcast here where I talk about the DPO role and more.

Stay tuned for my next blog on coordinating with customers and data controllers to ensure compliance.

Read all the articles in our GDPR series



This is a Security Bloggers Network syndicated blog post authored by Brian Rutledge. Read the original post at: Spanning