Featured in JEP’s Law Review Supplement – 14th February 2018
I have already come across three data breaches with various organisations in the last few weeks (data controllers had to be notified by external parties!) and their response was it is “not their fault” or “it was an accident”. I think it is fair to say that this response will just not be acceptable to the data subject(s) or Supervisory Authority after 25 May 2018 when GDPR becomes into effect. But how are organisations dealing with GDPR?
I would always view such projects as GDPR through the lens of a governance type framework due to its scope and compliance nature. With the increased scope and responsibilities now placed on organisations by GDPR, directors must be aware that non-compliance will not only expose their organisation to fines but there are real risks to reputation, enterprise values for shareholders and potentially reduced/restricted insurance cover going forwards.
Observations so far:
When talking to organisations I often remind them of a simple point; your organisation should already be doing most of this data protection work anyway under existing law! Their reaction to the recent publicity around GDPR is a mixture of “it’s like another Y2K type project, all very expensive project work now and nothing will happen after 25 May 2018” or “I’ll just hand it all over to the DPO to worry about!” I’m sure you may have similar stories to share? Here are three areas that I keep encountering and having to clarify for organisations.
(A) The DPO is not the Data Controller
In some cases, there is the misunderstanding that an organisation can, by appointing a DPO or outsourcing to an external DPO, delegate the responsibility for GDPR to them i.e. they somehow absolve themselves from their non-compliance sins –it will now become the DPO’s problem! I then explain A37 appointment of DPO provisions, A38 relating to the position of DPO within an organisation and A39 detailing the tasks which a DPO must perform. The final surprise (in some cases) for them is A24 which makes it very clear that it is the Data Controller who is responsible for compliance and for demonstrating compliance and not the DPO.
(B) Three pillars of data protection
One of my other observations is that some organisations think that by simply installing a new technology product or software solution they will automatically become GDPR compliant. Technology is of course an important “pillar” of data protection but people and processes should not be forgotten. These two other “pillars” of data protection must be given equal focus to ensure compliance. Also an obvious point to make is that GDPR applies also to non-digitally recorded or processed personal data.
A25 refers to the use of “state of the art” technology where possible but A24 states that the data controller “…shall implement appropriate technical and organisational measures…”. Data controllers need to focus on training people at all levels within their organisation about their obligations under GDPR, setting-up a proper effective communication process for them and the DPO (if appointed) and ensuring awareness of the requirement to conduct DPIA’s under A35 as part of the required “privacy by design and default” approach in GDPR.
In preparation for the 25 May 2018, data controllers should not forget an important point in A38(3) and Recital 97 that the DPO must perform “their tasks in an independent manner”. This is emphasised in the A29 Working Party guidance “Guidelines on Data Protection Officers (“DPO’s”)” WP243 rev.01 16/EN, last revised and adopted on 5 April 2017. DPO cannot hold a position that leads them to “determine the purpose and the means of processing of personal data”.
The guidance states that the following people should not be the DPO; the CEO, COO, CFO, Chief Medical Officer, head of marketing, head of HR or head of IT. The data controller must take great care not to risk blurring (perceived or otherwise) the lines between those technology service providers that may provide outsourced DPO services and provide technology services to their organisations.
(C) DPO qualifications
This is an area where organisations are increasingly struggling to understand in the absence of any formal qualification under the GDPR. This may of course evolve over time, possibly at the same time the European Data Protection Board (EDPB) gets to approve the certification mechanisms envisaged by A42 and A43?
While A37(5) gives a brief indication of the “qualities”, A29 Working Party group guidance provides much more detail as to the desired qualifications and experience a DPO should have.
The key skills noted are:
– Expert knowledge of national and EU data protection laws and practices including in-depth knowledge of GDPR
– Understanding processing operations carried out
– Understanding information technologies and data security
– Knowledge of your business sector and organisation
– Ability to promote a data protection culture
Data Controllers will have to take time to consider exactly what skills set is required for a DPO for their organisation and consider factors such as the level of complexity or the amount of large scale processing or amount of sensitive data the organisation is responsible for processing.
After taking all of these factors into account and making the right decisions for their organisation, Data Controllers can “be secure” in the knowledge that they can look forward and lead in this new data protection age.