Although not a new concept, the introduction of the GDPR has increased the jurisdiction under which compulsory appointment of a Data Protection Officer (DPO) applies and created a level of uncertainty around who has an obligation to appoint a DPO and what their specific role is. Jim Gregg of the Association of Data Protection Officers discusses the role of the DPO and the changes that will come into effect under the GDPR.
“They say the best time to plant a tree was 20 years ago but the next best time is now,” explains Jim Gregg, as he discusses the need for DPOs to start their journey of becoming GDPR complaint as early as possible.
Gregg has outlined 10 key areas in which businesses can start taking action now. The first is around accountability. “The data controller/processor is responsible for and must be able to demonstrate compliance with Data Protection principles/concepts so you are going to need to get familiar with these concepts fairly quickly if you haven’t already,” he says.
“Secondly, awareness around the severity of fines is important. The GDPR comes into effect on 25 May 2018, so inform your CEO of the penalties if your organisation doesn’t get it right. For ‘serious’ breaches that could cost €10 million or 2 per cent of annual turnover (whichever is higher) and for ‘very serious’ breaches this rises to €20 million or 4 per cent.”
Gregg points out that any data processor that carries out processing of data which requires regular and systematic monitoring of data subjects (either staff or customers), needs to appoint a data protection officer. These can be an external consultant or internally appointed, however, he stresses the importance in avoiding any conflict of interests.
He adds: “Beware of making your IT, HR or marketing manager your DPO. Anyone who is involved in the management of monitoring data or data subjects, could easily be accused of having a conflict of interest when carrying out the duties of the DPO. The DPO must be neutral in their duties.”
Ensuring that data collection policies and procedures ensure privacy from the outset will be a key area for a DPO and company. “You must ensure you have the permission of the data subject from the beginning. This means consent must be built into all your systems and be part of any system you design. No manual change should be required by the data subject for them to attain privacy and you can only keep the data for as long as it is needed.”
Increased privacy for all consumers also means having in place a mechanism for measuring functionality, explains Gregg. If processing can potentially result in high risks to the rights and freedoms of individuals then a privacy impact assessment (PIA) is the best tool to show that the impact on privacy of any processes in place have been considered.
Gregg outlines: “A PIA is essential if you are considering a project or designing a system which is bringing together data sets or one which routinely processes personal data. A PIA must be performed before data is processed or used and should include; a description of the envisaged data processing, the purpose of the processing and whether this is proportional to the consent given, an assessment of risks and your plan to mitigate these risks.”
On profiling, a major tool of data analytics, he says: “If you are going to profile data subjects you must inform them that profiling will occur. This could be analysing or trying to predict a person’s: health, performance at work, economic situation, reliability, behaviours, location or movements. This information must be available to your data subjects and you must cease profiling should the data subject object to this process.”
Not just in profiling but across the GDPR the principle of consent has been strengthened. Consent according to the Regulation is ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he/she, by a statement or by a clear affirmative action agrees to the processing of personal data relating to him or her’. This means that silence is not consent, and abolishes the custom of a pre-checked tick box opting someone in.
Gregg also points out that it is important to note that the scope of what was previously known as sensitive personal data has broadened and now includes genetic data, biometric data and health data. “Therefore, if you are using this type of data then you are subject to the highest data protection standards and penalties,” he adds.
Lastly, he explains: “Unfortunately, for most organisations, a breach of some sort is more likely to happen than to never happen at all so always take a risk based approach to data breaches. Assess the nature and volume of data concerned and the number of data subjects involved. If you identify a high risk you have 72 hours to notify the ODPC and/or data subjects.”
Under the GDPR a DPO is required if either your data is processed by a public authority or body, your processing operations require ‘regular and systematic monitoring of data subjects on a large scale’ or you process large amounts of ‘special categories of data’ or personal data relating to criminal convictions or offences.
While the appointment of a DPO will not be compulsory for most private sector companies, Gregg believes that this should not mean appointing a DPO should be ruled out. “Most companies only process health, convictions or sensitive data in a manner incidental to their business, typically in the ordinary course of personnel administration. It is recommended to document the internal analysis carried out to determine whether or not a DPO needs to be appointed.
“A DPO can be appointed voluntarily, either as an employee or contractor. However, if doing so, they should be adequately trained, resourced and with expert knowledge of data protection laws and practices. Importantly, they need to be an unbiased, independent person without direct or personal interests in the operations of the company’s data processing.”
Asked whether Brexit will complicate the process for DPOs and processors aiming to comply with the GDPR, Gregg says: “When personal data leaves the EU, it is considered to have been sent to a third country. This will include post-Brexit UK. The UK is addressing the issue by copying the GDPR into their own law, the Data Protection Bill 2017. Hopefully, this will reduce many of the compliancy threats to EU/UK data transfer.
“Aligning policy is only part of the solution, however. It also depends on how Brexit negotiations play out and the deal agreed by both parties. If the UK would join EFTA, the GDPR could be built into a trade agreement, as will happen with Norway. Otherwise, the European Commission may want to review the UK’s data protection laws. Ratification could be delayed until the UK leaves the EU, in turn, leading to a potential undetermined period between the alignments of policy.”
The Association of Data Protection Officers was launched by the Irish Computer Society (ICS). The ICS will host the National Data Protection Conference at Croke Park, Dublin on 24-25 January.