What Your Data Protection Officer Should Know About Privacy Requirements
Data privacy suddenly got hot a few years ago when Edward Snowden made his revelations about the NSA snooping on U.S. citizens’ data. Since then, data privacy violations and misuse have become synonymous with major companies such as Facebook, Google and Equifax. The word “privacy” is now well and truly associated with the troubles surrounding online data.
Data privacy is about how the information that represents an individual online or offline is used. Privacy is about choice and data management as much as it is about the security of these data. As part of the push towards a more privacy-respectful community, there have been a number of new or updated laws and regulations on the world stage. One such law has been the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.
This article will address the sorts of details of the GDPR that any self-respecting Data Protection Officer (DPO) should know about.
Getting Personal: What Is Personal Data According to the GDPR?
The GDPR offers a definition of what constitutes personal data. This definition states that personal data is anything that can be used to tie the data to an individual: name, date of birth, address and so on. The GDPR extends the definition by including behavioral data and data such as religious and political leaning. Knowing what the term “personal data” actually describes is fundamental to your DPO’s knowledge base and will dictate how compliance with GDPR relates to your business.
GDPR categorizes personal data into two types:
Personal Data (Article 4)
This is the data most companies are used to dealing with. Data such as name, address and location are typical, but personal data can also cover IP address, genetic data, economic, cultural or physiological information.
Special Category: Sensitive Personal Data (Article 9)
This extended category includes data that pertains more to behavior but that still can be used as an identifier for an individual. These data include genetic and biometric, as well as lifestyle data such as religion, racial or ethnic origin and trade union membership.
Collecting and Consenting: Personal Data Use Under GDPR
Consent is an area that has created confusion and headaches for many companies. The whole area is prone to misunderstanding. But consent is a pillar of the GDPR, so vital to get to grips with, especially if you are a Data Protection Officer.
A DPO must understand exactly what the rules of consent are under GDPR, and how these are used in a pertinent manner in your overall business processes. If you collect and process personal data, you are under an obligation to collect user consent. Article 4 (clause 11) sets out how you take that consent and uses words such as “freely given, specific, informed and unambiguous” “… clear affirmative action”. Without a clear understanding of what consent is and how and when it should be used, a DPO can’t do their job.
Assessing Privacy: What Part Does a DPO Play in a DPIA?
A Data Protection Impact Assessment (DPIA) is usually carried out under the advisement of a DPO. It is a process of understanding, mapping and documenting how you collect, process, store, delete and otherwise handle personal data, and how this stacks up in relation to GDPR compliance.
The Fit: Where Does a DPO Fit Into the GDPR Equation?
A Data Protection Officer (DPO) is an individual either internal to an organization or employed on a consultancy basis. A DPO can be described as a data privacy professional and will have the experience and possibly certification to prove it. The DPO advises the business on how to ensure they are GDPR-compliant. The DPO needs to understand how the company operates and what types and level of data processing is being carried out, as well as the requirements of GDPR and data privacy in general.
The Mandated DPO
The GDPR mandates that an organization engages a DPO if they fall into one or more of these categories:
- Public authority or body
- Process data on a large scale
- Process “special category” data
The GDPR has the concept of data controllers and data processors — both are required to use a DPO if they fall into any of the three categories above. (Further details of what a data controller is can be found in our article, “Does the GDPR Threaten the Development of Blockchain?”)
But though the GDPR may not mandate the use of a DPO for all organizations, it strongly advises using one to interpret GDPR requirements.
DPOs for Companies Outside the EU
Companies outside of the EU will need a DPO if they offer goods or services to a person, or monitor the behavior of a person, residing in the EU. The conditions of the mandate are as above, but again, it is strongly advised to use the services of a DPO to interpret the GDPR requirements with respect to your own organization.
Size of Company and DPO
The requirement for a DPO is predicated on the activity of the company and not the size — even smaller organizations, if they fall into the mandatory categories, will need to use a DPO.
Location of a DPO
The GDPR strongly suggests the DPO be based in the EU but has provision for DPOs to be located elsewhere if your organization can show it would be more effective to do so.
Inside and Out: The DPO, Sensitive Personal Data, Company Types and Mapping
Each company has its own internal processes and ways of collecting and using personal data. This means that the DPO needs to understand the nuances of your business and how you operate. Only with that knowledge can they make sure that they can map the GDPR requirements seamlessly to your operative norms.
The DPO will be able to isolate instances where you are outside of GDPR compliance and suggest ways of adjusting your procedures and actions to meet compliance. A DPO will also be aware of some of the reduced obligations that are on offer from the GDPR, e.g., reduced documentation expectations for companies under 250 employees.
Because GDPR requirements have points of overlap with data security, e.g., suggested encryption of stored data, the DPO must be able to work closely with your security team.
If you appoint a DPO from inside your organization, you need to ensure that conflicts of interest cannot occur. The International Association of Privacy Professionals (IAPP) carried out a survey into the appointment of DPOs. They had a number of useful responses on the subject of conflict of interest. Respondents stated that internal DPO appointments should be “sole-role” or would be down to the individual’s own professionalism to avoid such conflicts. The survey also identified that DPOs would be expected to report directly to the highest level of an organization, thus focusing the mind of the DPO. Notably, two-thirds of surveyed respondents said they were likely to employ an internal person as their DPO.
Other Countries: Does a DPO Need to Know About Privacy Regulations in Countries Outside the EU?
More countries are creating, updating or expanding existing data protection laws to include privacy. For example, California has recently approved their privacy regulation “California Consumer Privacy Act of 2018 (CCPA)” which is being described as GDPR 2.0. Another example is the new Personal Data Protection Bill, 2018, about to be introduced in India. Using the services of a DPO can be highly valuable in ensuring you comply not just with GDPR, but with the data protection regulations of other countries too.
Conclusion: Make Sure Your DPO Knows About Privacy
If you decide to engage the services of a DPO, either internally or externally, you need to make sure that the person you take on has the requisite skills. Your DPO will act as an advisor to your business on all things GDPR and other data privacy issues. They should act as an independent, even if employed as an internal staff member. They will also act as a liaison and go-between, communicating with data subjects as well as your allocated GDPR Supervisory Authority.
A good Data Protection Officer will understand all of the complex aspects of data privacy. Your DPO will be able to keep your company abreast of any changes in the data privacy landscape, including new regulations above and beyond the GDPR. Ultimately, your DPO will be your go-to privacy expert, adding great value to your organization as data privacy regulations strengthen and consolidate across the world.
Article 4 EU GDPR “Definitions,” PrivazyPlan
CIPL Project on EU GDPR Implementation, Centre for Information Policy Leadership