As of the 25th of May 2018, businesses and retailers based in the EU, have customers that reside in the EU, and handle the personal data of EU citizens, will have to comply with new data protection regulations: the GDPR (General Data Protection Regulation).
GDPR represents the most significant change in data privacy regulation in 20 years. Organisations which fail to adhere to the GDPR’s data compliance rules will receive fines of 4 per cent of the business’ worldwide turnover, or €20 million, depending on which amount is greater. And, under GDPR, the Data Protection Authority (DPA) must be informed of data breaches within 72 hours of that breach being detected.
As a result, the GDPR mandates that all public sector organisations and many private sector organisations designate a Data Protection Officer (DPO) who will take ownership of data management and ensuring the organisation’s compliance with the GDPR.
Under Article 37 of the GDPR, DPOs are only mandatory where an organisation’s core activities consist of:
- Data processing operations which require regular and systematic monitoring of data subjects on a large scale or monitoring of individuals
- Processing a large scale of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation etc.)
- Data processing being carried out by a public authority or body processing personal data, except for courts operating in their judicial capacity
Failure to appoint a DPO where required will run the risk of receiving a fine of €10 million euros or 2 per cent of the organisation’s worldwide turnover (depending on which amount is higher).
The role of the Data Protection Officer
Appointed on the basis of ‘professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’ (stated by Article 37), the DPO is a designated individual within an organisation who is responsible for overseeing and ensuring that organisation’s complete compliance with data regulations – including both the Data Protection Act and GDPR.
DPOs ultimately manage, monitor and assess an organisation’s data processing and management to determine whether the business is GDPR compliant. Furthermore, the DPO devises the data protection policies and procedures that bring an organisation into compliance with GDPR regulations, including implementing new policies, educating staff on data protection, assigning responsibilities, and handling data requests.
To help DPOs in conducting their activities, they can:
- Request company resources to fulfil their job functions,
- Access the company’s data processing personnel and operations – as their job performance is highly dependent on these factors,
- Operate with a level of independence from the employer – and cannot be penalised or dismissed for performing their tasks,
- Report directly to the highest management level of the company (the board, trustees, CEOs, founders) and the company is legally obliged to give them the support they need.
Also, the DPO devises the policies and procedures that bring the organisation into compliance with regulation, monitors the implementation of those policies, ensures the professional development of staff in regards to data protection, assigns responsibilities and handles requests for data from the organisation.
Lastly, the DPO must ‘inform and advise the controller or the processor of their obligations’ as well as ‘document this activity and the responses received’ and be involved with all issues, scenarios and occurrences related to the protection of personal data.
The GDPR sets out the minimum tasks a DPO must take, which are:
- Informing and advising their colleagues of their data protection obligations
- Monitoring compliance with the GDPR and the organisation’s data protection policies
- Providing advice regarding Privacy Impact Assessments
- Co-operating with the relevant supervisory authority
- Acting as a contact point for the supervisory authority on data processing issues
It is important to note that while DPOs do not need to be legally qualified, they must have demonstrable expertise, including expert knowledge of data protection law and practices, as well as an understanding of an organisation's technical structure and IT infrastructure.
What is your next step?
Consider that 95 per cent of all security incidents involve human error, organisations should be investigating the recruitment of a DPO now. The longer they delay, the greater risk they are placing upon their business. Some may think that this EU directive doesn’t matter in the wake of Brexit – but this is false. GDPR will be introduced irrespective of Brexit or when Article 50 is invoked. A failure to act now could result in businesses sleepwalking into large financial penalties and reputational damage.
Why you need a Chief Data Officer
Data is a company’s largest asset – deserving a place on the balance sheet and to be highlighted as the lifeblood of the organisation. But it only has true value when used effectively. If not, a business is floundering in the dark, with unseen opportunities and inevitable mistakes.
Harnessing data is imperative. Responsibility for this generally lies with the up and coming role of ‘Chief Data Officer’ (CDO). With a place on the Board, perhaps reporting to but certainly working with the Chief Information Officer (CIO), the CDO increasingly should be viewed as the ‘data doctor’.
The remit is both preventative and diagnostic. What can be done to better manage the data a company holds? How can the highest possible value be reaped from it? How can it be securely stored, within the strict data protection regulations in each market in which a business operates? What are the potential issues if there is a data breach?
The CDO should be armed with answers or solutions to all of these questions, within their remit of data management and governance.
There are three main areas over which a CDO should have top level responsibility:
- Governance – with new regulations coming into place such as GDPR, varying restrictions and rules about data management and storage between different markets and Brexit affecting how UK companies store data in European facilities, there is a lot to understand, adhere to and be able to confidently explain.
- Information management – ultimately a business thrives on information and this is how decisions are made. Instant access to accurate and up-to-date information can propel a company to success. Taking action without consulting data from within the business is tantamount to saying history teaches us nothing. Business managers need the CDO to arm them with the best tools for their job.
- Security – the recent Yahoo! breach in which over 1 billion accounts were compromised again puts cybersecurity at the top of the board agenda. Although ultimate responsibility for IT security may not lie with the CDO, it’s crucial that they are aware of the measures being taken and are confident that the protection is more than adequate.
Everyone in a business wants data. It leads to knowledge, insight and better decisions. But it has to be beyond reproach, which is a time-consuming and meticulous job. It takes an analytical and questioning mind with superb attention to detail. If you can find the right person for the job, snap them up and retain them. A good CDO is probably your business’ new best friend.
Laura Cooper, Client Services Director, DataRaze
Image Credit: IT Pro Portal
Read the rest of our GDPR content here.