At the time of this writing, the GDPR is about two weeks away. That’s a very short time when it comes to preparing for a new compliance regime, and we hope that most of you reading this have completed your preparations already. If not… well, there’s still time to prepare.
One of the biggest changes imposed by the EU’s privacy law is the imposition of an entirely new managerial position: the Data Protection Officer, or DPO. Not every company who is subject to the GDPR will require a DPO, but every company that does require a DPO will have to abide by a relatively strict set of rules. Here’s what to do, and what not to do.
DO: Understand if you need a DPO
The GDPR points out three specific categories of organizations who will need to appoint a DPO:
- Federal and state governments, and the various branches and departments thereof, such as law enforcement agencies or militaries. Essentially, all public authorities except for courts.
- Organizations who track individual behavior over a large scale on the internet – for example, mass marketing organizations, ecommerce companies, and the like.
- Organizations who handle data about criminals or criminal convictions on a large scale.
Once again, not every organization who is covered under the GDPR will have to appoint a DPO. Those that must appoint a DPO should also consider the following:
DO: Understand the Loyalties of the DPO
Your Data Protection Officer ideally has the responsibilities of a compliance lawyer with the skill-set of a CSO. In other words, you can’t suddenly promote your intern to DPO. What you can do is promote your existing CSO (or CIO, or Chief Risk Officer) to the position of DPO. This method comes with a couple of caveats, however, which means that you may want to hire someone completely new.
The DPO is responsible (among other things) for making regular reports to the Information Commissioner’s Office (ICO) regarding the state of corporate compliance. In this, their work is entirely independent – they cannot be directed or coerced as to how they do their job. In addition, they must be hired for a minimum of two years.
In other words, promoting your CISO to DPO will force them to be extremely candid about the state of your security. If you’re not comfortable with that, it’s probably best to hire from outside.
DON’T: Under-Resource your DPO
Apart from reporting to the ICO or its representative, the DPO must also monitor the state of a company’s compliance and provide advice as to whether corporate or administrative policy will affect said compliance. To do this, the DPO needs tools. What’s more, if you don’t procure reasonably adequate tools for the Data Protection Officer, this will become a factor in the ICO’s penalty judgement if and when you breach compliance.
Instead of waiting for the inevitable, give Safe-T a try. Safe-T’s Software Defined Access suite is more than an effective compliance tool – it’s a low-cost application which gives the user unheard of visibility into and control of an organization’s compliance policies. Whether you need to emphasize encryption, data loss prevention, or network segmentation, Safe-T gives your Data Protection Officer the tools to deal with the GDPR. Find out more by signing up for a free trial!
*** This is a Security Bloggers Network syndicated blog from Safe-T Blog authored by Julie Shafiki. Read the original post at: https://blog.safe-t.com/dpo-dos-and-donts-for-gdpr-challenges