Data-Privacy.ie – July 2020
If your planning to formalise the role of data privacy officer in your organisation or engage with DPOaaS service provider. Choosing a competent data protection officer (DPO) has never been more important with the rising tide of privacy regulation and scale of breach of trust in recent years. Readers will be all too aware of the headlining stories behind Cambridge Analytica Facebook and Google but in truth there are hundreds of lesser known privacy violations occurring all the time. At a micro-economic level, these violations are damaging financially and reputationally. Companies are noticing a sizeable increase in data portability requests after they publicly report violations. This is in tandem with the hit to their P&L statements which comes after all the investigative work, audits, legal and general increase in scrutiny costs are factored in.
Traditionally, the burden of prevention and incident response fell on security teams to handle breaches and security controls at binary level. Turn this on, disable that etc. The shifting sands of regulation however has demanded a more nuanced role which is more empathetic to the consumer and can do more than spell ethics. Hence the evolution of the data protection office role which appears in article 37 of the GDPR . So, assuming your looking to hire a DPO or just want to understand what your existing DPO should be doing, We address most of the key qualities in the following sections.
GDPR, CCPA in California, Privacy Shield, Shield Act and other country and state acts are founded on legal principles. Any DPO worth their payslip will be cognizant and proactive in consideration of legal opinions from various agencies. Agencies such as the advocate general of the ECJ, jurisdictional attorney generals and data protection authorities. Due diligence should see a DPO subscribed to privacy twitter feeds, industry watchdog feeds from the likes of (epic.org, noyb.org, euractiv.com) and au fait with analysis from national law firms and big 4 type consultancy SME’s. It’s also worth setting google alerts for custom terms that maybe more apropos to your organization. The rate of change in a legal context is very dynamic in the data protection arena, for example, privacy shield is in question at the minute which means BCR’s and SCC’s are in question (essentially inter-country data transfers). National security agencies are also being challenged on their retention and use of personal data for counter-terrorism and law enforcement purposes. For example, the use of FISA (foreign intelligence surveillance act) by the FBI for mass surveillance was deemed to have breached constitutional rights from 2017 to 2018.
The point being, depending on the type of organization you work for, some or all of the aforementioned topics may have a bearing on contracts, assessments, security and risk that a data protection officer must consider. A good DPO should be expected to work with legal, marketing, security and executives in a competent advisory role who understands case history and common causes of breaches publicized by their data protection authorities.
Writing policies can take up to 30% of a DPO’s time, depending on where the maturity of a data protection program lies. When I say writing, I mean research based adaptation of standards to your internal companies workings. Specific policies such as personal breach notification, data retention policies, third party transfer agreements, data processing agreements, data privacy impact assessment policies, employee privacy notices, DSAR forms and a host of other mandatory forms which might start filling up this page. The fact is that data protection overflows into other technical policy areas such as data encryption, media destruction, password controls and more which must be considered. Lastly on this point, software developers, particularly agile development practitioners plough quickly through their sprints and user stories with a lesser focus on data protection than output. DPO’s need to inject their agenda into how code is built and released in the form of policies and compliance monitoring.
In times of crisis, such as a breach. A carefully planned choreography should kick in which sees that the DPO is ready, willing and able to play the role of breach responder. This will involve confirmation and categorization of the nature of the breach, activation of an incident response plan, response co-ordination with legal /IT /marketing /executives etc, preparing communication templates to customers and the data protection authority and damage mitigation. This is all followed up by reporting, remediation and post incident communication to affected parties.
These types of tasks are not for the faint hearted given the time and burden of responsibility in times of crisis. Hence a DPO should be an experienced first responder who can articulate successful outcomes in his/her recent history before taking on the role.
In the scheme of things it’s probably one of the harder things to quantify but has the biggest impact on user behaviour. Training must be an active pursuit and current to the latest legislation and threats. So, what type of training do I mean?. Well, onboarding, annual staff training, role specific and ongoing user awareness training.
The focus of training will vary based on the aforementioned categories. For instance onboarding will be more focused on employee privacy notices, acceptable use policies, training time and attendance requirements and other related company policies. For annual staff training in the age of Zoom , I would use the mass media approach to get the message out there in privacy regulation, staff responsibilities, industry breach history, contacts etc. This annual training is really the opportunity for the DPO to make the most difference in their role and should be done live. Email circulars, surveys and quizzes are all good but in isolation the’re less impactful than a person delivering a message. lastly on this topic, role specific training. It may be tempting to have a one size fits all approach to user awareness training, but in reality the threat profile of a dbadmin, developer, marketing person and customer service rep are different. When you consider the customer and customer data touch points, a database administrator has a direct influence of stored customer data while a marketing person will likely not, yet a marketing person will likely deal directly with customers in marketing campaigns and calls. The point being, training will need to be adjusted toward the role else, your risk exposure is significantly higher for the individual involved.
The integrity of the data protection office depends hugely on being independent of organizational bias. What do we mean here? The role of DPO is expected to be an impartial one in the eyes of the DPA, one that demonstrates accountability and good faith toward the customer. The customer is better served by these characteristics in the organization which it makes it better from a regulatory standpoint.
From the point of view of an effective DPO, they should demonstrate fair and impartial assessments in their DPIA’s, oversight of data processing activities and reporting to the executive and regulatory authorities. Ultimately, the DPO should not be impeded from practicing an important function but they should also have the drive to ensure that this is not the case and maintain their independence.
As in all elements of business, risk is everywhere. To make sense of it all though demands classification and treatment plans. In the formal sense, a data protection officer is expected to conduct data privacy impact assessments and identify corrective action plans. They are also expected to maintain a register of processing activities which includes purpose of said activities. But beyond this, the DPO should understand what the common fails are in the industry and the ones most likely to make it to the wall of shame on supervisory authority websites or even newspapers. A quick breeze around the web will yield an abundance of cases where there is a failure to respond to DSAR’s within 28 days, disputes over use of CCTV footage in wrongful termination claims, correspondence with PII being sent to the wrong address (frequently an old address), inappropriate data sharing with 3rd parties and just bad housekeeping of technical controls (weak passwords, unencrypted data, unpatched systems etc). On the back of all this, is the 3rd party risk, particularly from data processors.
If you take your eye off the ball with 3rd parties, your risk of being stung is greater. I mentioned SCC’s and BCR’s for inter-country transfers, but standard clauses with suppliers even in the same country need to be addressed too which set out right to audit, compliance with best practices, responsibilities and assumption of liability in the event of a breach of contract.
In closing on these topics, a recent article on 4 keys to mastering data privacy by law.com listed “a) Knowing your data: what you have, where it is, who can access it; b) Efficiently responding to consumer requests for data; c) Knowing who can access your data outside of your organization (vendor risk) and d) Keeping only the data that serves a business or legal purpose.
We would fall in line with these steps and add that time is of the essence. Data protection should be a BAU process for any organization that feels that it maybe financially or reputationally harmed by a data breach which is probably 98% if your holding more than a few hundred customer records on your systems.
Related Article: 10 Steps to Designing the Right Data Protection Program
The Privacy Experts
Does your organization needs an affordable data protection officer service? Find out more about our service by clicking on the button below.