“Congratulations, You’re Our New DPO!” Now What?

“Congratulations, You’re Our New DPO!” Now What?

“Congratulations, You’re Our New DPO!” Now What? 

Perhaps you were the last one to arrive at the meeting and the rest of your colleagues volunteered you. Of course, your boss said, “This is valuable work; you are just the person for the role,” so you rose to the challenge.

If you’ve read this far, you probably are not one of the few data protection professionals, and you’re learning on the fly, trying to comprehend all things GDPR related and to prepare your company for 25 May 2018, when the European Union General Data Protection Regulation (GDPR) takes effect.

What must you know? What does GDPR mean for Data Controllers, and what exactly is a Data Protection Officer? Here is a quick tutorial.

Data Controllers: The Data Protection Act of 1998 (DPA) established the role of data controller to “exercise overall control over the purpose for, and the manner in which, personal data are processed.” A data controller must exercise control over and assume responsibility for data processing across the organization.

Data Processors: The DPA distinguishes between data controllers and data processors. A data processor is anyone who processes the data on behalf of the organizational data controller. Data processing includes any action from the beginning of the process (i.e., retrieval, storage, analysis) to the end (i.e., transmission, dissemination, erasure, or destruction).

How has GDPR changed these positions?

New Rules Under GDPR: The GDPR has provisions for both controllers and processors that bolster their authorities and responsibilities for the data managed throughout the organization. Controllers still determine the purposes and means for processing personal data. GDPR requires controllers to manage the following:

1)   Transparency: GDPR requires organizations to conduct information audits and map data flows. You must also document the personal data you store, its source, what you’re doing with it, and with whom you share it.

2)   Legality: Businesses must identify and document the legal bases for processing personal data.

3)  Document Consent: How do you request and record consent? Are your data systems capable of recording and managing these consent documents? GDPR requires this review for your organization. And if your business delivers online services directly to minors, you must have data systems capable of securing consent from their guardian.

4)  Registration: Lastly, your organization must register with the Information Commissioner’s Office. 

Data Protection Officer (DPO): GDPR requires organizations to appoint a data protection officer (DPO) if you are a public agency or carry out specific processing activities (e.g., large scale, regular, and systematic monitoring of individuals; or large scale processing of special categories of data or data related to criminal convictions and offenses). The DPO plays a crucial role to help your organization fulfill its data protection obligations. The DPO must:

1)  Report directly to upper management and function independently of other branches.

2) Be involved in all issues relating to the protection of personal data.

3) Be sufficiently resourced to perform necessary tasks.

4) Perform their tasks without conflicts of interest or fear of penalty. These tasks include the following:

a.       Monitor compliance with GDPR laws and policies.

b.      Advise the organization on steps to comply with data protection obligations.

c.       Provide advice for Data Protection Impact Assessments (DPIA).

d.      Act as a contact point for the Information Commissioner’s Office (ICO).

You must document the name and contact details of your DPO and controllers, and you must provide them to the ICO. If you decide your organization does not warrant a DPO position, it’s best to record this decision to demonstrate compliance with GDPR’s accountability principle (Article 5 (2)).

At FileFacets, we recognize there is no silver bullet for GDPR compliance, but we can help organizations take the first essential step of knowing where their sensitive data is stored. We can then organize the data properly—saving, deleting, storing, protecting—to improve security and create compliance. This process will enable organizations to respond to data subject access requests (DSARs) in a timely fashion, too.

With solutions prices sensitively for all businesses—small, medium, and enterprise—can FileFacets be part of your GDPR project? We have years of experience in information governance and providing tools for acquiring data, and identifying and actioning of personal data from multiple sources.