Organizations are starting to take a much more considered approach to data protection as high-profile regulatory action for data mishandlings has raised both the stakes and interest in data privacy operations.
Since the EU General Data Protection Regulation (GDPR) came into force in May 2018, data protection has risen to the top of the news agenda. Simultaneously, the GDPR has raised the profile and highlighted the importance of the Data Protection Officer (DPO) internationally as, under this legislation, certain entities are under legal obligation to appoint a DPO.
Noncompliance with the GDPR carries hefty fines and is generally associated with a wave of negativity when public trust is compromised. Moreover, there is a growing global awareness that data protection matters, and people expect organizations to handle their personal data with care. It is for this reason that legislators around the world are actively seeking new ways to protect the security and privacy of personal data.
The global movement for an ethical handling of personal information is multidimensional. Investor activism and customer scrutiny – over the way their data is collected, processed and used – is putting the pressure on organizations to act ethically and on legislators to enact laws that effectively deal with rapid technological changes. Issues related to corporate governance and accountability are at the center of this movement.
Every day at HewardMills we speak with more and more organizations recognizing the value of in-depth knowledge and the need for total autonomy in this area. Businesses understand that their reputation is closely aligned with the processes around privacy and data protection in place. As a result, clearer lines are being drawn around departmental responsibilities to better operationalize data protection regulations.
Similar to other data specialist skill sets, demand for qualified and experienced DPOs is raising. This is a result of the role being both legally required for certain entities and organizations realizing the value of fostering a data protection culture.
The DPO can be internal or external, but they must be allowed to function independently. They are the link between the organization, the supervisory authorities and the data subjects. Thus, it is important that the DPO strike a careful balance to meet their own obligations toward all parties involved.
DPOs play a pivotal role in an organization’s data management health and are required to report directly to the highest level of management. Some tasks that fall under the DPO role include advising on issues around data protection impact assessments (DPIAs), training, overseeing the accuracy of data mapping and responding to data subject access requests (DSARs). These things are all mandated under the GDPR.
Organizations may have good intentions to achieve best practices and meet their legal obligations, but the data protection process does not stop there. Practical knowledge on how to operationalize legal obligations is the key to success. For example, if an organization is not adequately prepared to respond to DSARs, it may miss the one-month GDPR deadline or respond in an incomplete manner.
Since the GDPR came into effect, supervisory authorities have actively sought greater transparency. This means that there is a particular focus on accurate privacy notices, data protection impact assessments and legitimate interest assessments. Given the global trend toward accountability, it is safe to argue that investing in data protection and privacy will win the trust of individuals, be the customers or employees. Organizations that foster a culture of integrity are at a competitive advantage in a world where privacy and data protection matter. For those that do not, the financial, legal and public opinion risks can be significant.
Being responsive to GDPR data subject requests helps to build trust with individuals and demonstrates a serious dedication to data protection obligations. The DPO is the contact point for data subjects who are exercising their rights. As such, DPOs must be easily accessible, be it by telephone, mail or other avenues. Lack of resources is not an excuse for neglecting legal obligations and denying data subjects their rights. A consultant or outsourced DPO role can provide a cost-effective way to fill this gap.
DPOs help organizations to prioritize risks. While they themselves must address highest-risk activities first, they must also educate on how DPIAs are reached. This allows controllers to know which activities should be prioritized. Ultimately, ensuring data controllers are informed about the perceived risks relating to different processing activities. For instance, the DPO could flag data protection audits, the need for enhanced security measures, or gaps in staff training and resource allocations.
To maintain the level of autonomy needed to act as an independent body, job security has been built into the DPO appointment. The DPO can be disciplined or even terminated for legitimate reasons. However, they cannot be dismissed or penalized by the controller or processor as a result of carrying out their duties. In other words, the organization cannot direct the DPO or instruct them to reach a certain desired conclusion. The DPO must also be given the resources required to achieve this level of independence and carry out their duties. Typically, these resources are budget, equipment and staff.
One of the benefits of using an external DPO is that conflicts of interest are less likely. Organizations should strive to give the DPO the necessary autonomy to successfully act as a bridge between data subjects, the organization and the supervisory authorities. The DPO should not be assigned tasks that would put them in a position of “marking their own homework”. Used correctly, the DPO is a partner that helps navigate the organization toward an ethical handling of personal data.
Faced with meeting strict obligations under GDPR, organizations controlling and processing personal data must empower and embrace their DPOs and work closely with them. Organizations should view DPOs as a type of insurance policy for data risk and not think of them as the regulators’ undercover watchmen.
Culled from Infosec Ireland