Paul Jordan Tuesday 28 November, 2017 · CIPM Operations The first and only privacy certification...
Transcript of Paul Jordan Tuesday 28 November, 2017 · CIPM Operations The first and only privacy certification...
www.iapp.org
GDPR Readiness: Role of the DPOEDAA Summit 2017 – London Paul JordanTuesday 28 November, 2017
www.iapp.org2
Overview
• GeneralDPOrequirementsundertheGDPR:legitimacyoftheDPOrole
• InternationalResearchfindingsinDataProtection
www.iapp.org4
DataProtectionOfficers(Art.37–39)aretoensurecompliancewithinorganisations.Theyhavetobeappointedforallpublicauthoritiesandforcompanieswherethe“coreactivities”:
- regularlyandsystematicallymonitordatasubjectsonalargescale,or
- processonalargescalespecialcategoriesofdata(Art.9and10).
Data Protection OfficersArt. 37–39
www.iapp.org5
- CoreActivities:Keyoperationsnecessarytoachievebusinessgoals+processingwhichformsaninextricablepartofthebusinessactivity.
- LargeScale:Recital91mentions“processingoperationswhichaimtoprocessconsiderableamountsofpersonaldataatnational,regionalorsupranationallevelwhichcouldaffectalargenumberofdatasubjectsandwhicharelikelytoresultinahighrisk”.
What does ‘core activities’ and ‘large scale’ mean?
www.iapp.org
DPD
6
SECTIONIXNOTIFICATIONArticle18Obligationtonotifythesupervisoryauthority
1. (…)2. MemberStatesmayprovideforthesimplificationoforexemption
fromnotificationonlyinthefollowingcasesandunderthefollowingconditions:• (…)• Wherethecontroller,incompliancewiththenationallawwhich
governshim,appointsapersonaldataprotectionofficial,responsibleinparticular:•forensuringinanindependentmannertheinternalapplicationofthenationalprovisionstakenpursuanttothisDirective•forkeepingtheregisterofprocessingoperationscarriedoutbythecontroller,containingtheitemsofinformationreferredtoinArticle21(2),therebyensuringthattherightsandfreedomsofthedatasubjectsareunlikelytobeadverselyaffectedbytheprocessingoperations.
Article20Priorchecking1. (…)2. Suchpriorchecksshallbecarriedoutbythesupervisoryauthority
followingreceiptofanotificationfromthecontrollerorbythedataprotectionofficial,who,incasesofdoubt,mustconsultthesupervisoryauthority.
SECTION4DATAPROTECTIONOFFICERArticle37Designationofthedataprotectionofficer
1. Thecontrollerandtheprocessorshalldesignateadataprotectionofficerinanycasewhere:
a) theprocessingiscarriedoutbyapublicauthorityorbody,exceptforcourtsactingintheirjudicialcapacity;
b) thecoreactivitiesofthecontrollerortheprocessorconsistofprocessingoperationswhich,byvirtueoftheirnature,theirscopeand/ortheirpurposes, requireregularandsystematicmonitoringofdatasubjectsonalargescale;or
c) thecoreactivitiesofthecontrollerortheprocessorconsistofprocessingonalargescaleofspecialcategoriesofdatapursuanttoArticle9andpersonaldatarelatingtocriminalconvictionsandoffencesreferredtoinArticle10.
GDPR
www.iapp.org
Data Protection Officers
7
Nature and challenges• TheDPOissimilarbutnotthesameasaComplianceOfficerastheyarealsoexpected
tobeproficientatmanagingITprocesses,datasecurity(includingdealingwithcyber-attacks)andothercriticalbusinesscontinuityissuesaroundtheholdingandprocessingofpersonalandsensitivedata.Theskillsetrequiredstretchesbeyondunderstandinglegalcompliancewithdataprotectionlawsandregulations.
• MonitoringofDPOswillbetheresponsibilityoftheRegulatorratherthantheBoardofDirectorsoftheorganisation thatemploystheDPO:theindependencefactor.
• Internally,theDPOwillneedtocreatetheirownsupportteamandwillalsoberesponsiblefortheirowncontinuingprofessionaldevelopmentastheyneedtoberelativelyindependentoftheorganisation thatemploysthem,effectivelyactingasa‘businessenabler’withinorganisations.
www.iapp.org
Data Protection Officer
9
Qualifications
Art.37(5):‘Thedataprotectionofficershallbedesignatedonthebasisofprofessionalqualitiesand,inparticular,expertknowledgeofdataprotectionlawandpracticesandtheabilitytofulfilthetasksreferredtoinArticle39.’
• Certifications:CIPP/E (EUdataprotectionlegislation),CIPM (dataprotectionpractices,[D]PIAs,Programmgt)
• Furtherqualifications&continuouseducation
www.iapp.org10
CIPP/EEU laws and regulations
The global standard for the go-to person for privacy laws, regulations and frameworks
CIPMOperations
The first and only privacy certification for professionals who
manage day-to-day operations
www.iapp.org
Data Protection Officer
11
Responsibilities (Art. 39)• Counsel theentityinregardtoapplicabledataprotectionlaws• Monitor compliancewithapplicabledataprotection(GDPR)provisionsandalignmentwithinternalpolicies, includingtheassignmentofresponsibilities,
• Awareness-raising andtraining ofstaffinvolvedintheprocessingoperations
• Conductionofdataprotectionaudits and[D]PIAs• Cooperateandcommunicatewiththeresponsible regulatoryauthority
www.iapp.org
Data Protection Officer
12
Data Protection Risk Management
(Art.39(2)): ‘Thedataprotectionofficershallintheperformanceofhisorhertaskshavedueregardtotheriskassociatedwithprocessingoperations,takingintoaccountthenature,scope,contextandpurposesofprocessing.’
www.iapp.org
Privacy Risks
NoticeandConsent
Data Loss
Data Usage
Individuals’Rights
DataTransfers
ThirdParties
Over-retentionofdata
13
www.iapp.org
Data Protection Officer
15
Positioning in the company (Art. 38)
1) Properandtimelyinvolvementinallrelevantaspectstobeensuredbythecontroller
2) Supportbysufficientresourcesandaccesstodataandsystemsandallowanceoffurtherqualification
3) Independenceofinstructionsandprotectionagainstsanctioningbycontrollerasemployer
4) Pointofcontactfordatasubjects
5) Professionalsecrecyandinterestprotection
www.iapp.org
Accountability & GDPR
Accountability is a Key Principle
The new accountability principle in Article 5(2) requires the controller to demonstrate compliance with the principles relating to personal data and states explicitly that this is the controllers responsibility
16
www.iapp.org
Demonstrating Accountability
******
Demonstrate compliance by implementing
appropriate technical and organisational
measures
Maintain relevant documentation
Appoint a data protection officer,
if appropriate
Implementing measures that
meet principles of data protection by
design and data protection by
default
17
www.iapp.org
Outsourcing the DPO?
18
Shared and external DPOs
(Art.37(2)): ‘Agroupofundertakings mayappointasingledataprotection officer provided thatadataprotection officer iseasilyaccessible fromeachestablishment.’
(Art.37(6)): ‘Thedataprotection officermaybeastaffmemberofthecontroller orprocessor,orfulfilthetasksonthebasisofaservicecontract.’
www.iapp.org
CPO vs. DPO
19
Considerations
• IsthismandatoryDPOtheleaddataprotectionandprivacyvoiceintheorganisation?
• DoestheDPO’sroleinworkingwiththeregulatormakeitdifficultfortheDPOtoengageinhigh-levelstrategicconversations?
• WouldappointingexternalcounselasDPOcreateconflictwhenworkingwiththeleadprivacyvoiceintheorganisation?
• RememberArt.38(3):‘Thecontrollerandprocessor shallensure thatthedataprotectionofficerdoesnotreceiveanyinstructionsregardingtheexerciseofthose tasks.’
www.iapp.org28
For questions or to request additional information:
Paul JordanManaging Director, Europe, [email protected]+32.(0)2.761.66.86www.iapp.org