With every passing month, the onset of the General Data Protection Regulation seems to gather additional momentum.
However, despite there being less than a year before it comes into effect, I am still reading countless articles and having numerous discussions with organisations, concerned about the ambiguity that remains around areas as diverse as ‘what data needs to be protected, and ‘what staffing will be required to ensure compliance’.
One such area that many organisations, in both the private and public spaces, are currently struggling with is defining the role of the Data Protection Officer. For this reason, many have yet to fully understand the professional requirements that will be necessary for this position.
Earlier this year, the Article 29 Data Protection Working party issued some clues as to what the role of the DPO was, and did provide some assistance in defining the requirements of the role. However, it did little to define the credentials for the DPO, which in turn has led to increased confusion around who is qualified to provide this function within an organisation.
That said, we do have some salient points which outline the functions that should be carried out by a DPO, let’s take a look at some of those points below:
- Work with the organisation to ensure that GDPR regulations are understood and policies, processes as well as other functions that consume protected data are aligned
- Work with Senior and Executive Management to ensure that Impact Assessments (as required) are understood and actioned
- Identify risks associated with the collection and housing of personal data as defined by GDPR
- Monitor GDPR activities objectively within the organisation
- Provide training and establish a culture of data protection within the organisation
- Liaise with other organisation’s data controllers and/or processors to align data protection controls
- Function as the primary contact for questions, complaints, and other queries as they relate to personal data
- Ensure that all requests, such as right to be forgotten are performed and notifications sent to stake holders
On the surface, these functions may seem rather mundane, giving the impression that the role could be filled at a very low level within an organisation. Now, depending on the size of the company, that may be feasible, however as the old expression goes – ignorantia legis neminem excusat or ignorance of law excuses no one, due to the severity of the fines associated with non-compliance, it is highly recommended that this role be staffed with personnel that have experience within the compliance space, in general, as well as EU privacy rules and regulations specifically. The DPO role is not something that sits at a lower level in the organisation but one that has executive management visibility and can explain in both technical and non-technical ways that GDPR governance has to occur.
As was mentioned previously, there currently is not a defined certification that a DPO must hold. What we do have, however, is the following guidance currently from the Article 29 Working Party: “Although Article 37 does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.
“Knowledge of the business sector and of the organisation of the controller is useful. The DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller.
“In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organisation.”
However, some certifications that do show the right level of understanding, coupled with previous experience, would be a good starting place for organisations that are looking to procure a DPO or services for such a person.
The first item to look for would be Certified Information Privacy Professional with a specialisation for the EU, referred to as a CIPP/E. This certification track is offered by the International Association of Privacy Professionals and covers data protection requirements for the EU, EU/US Privacy Shield requirements and recently, more specifically for GDPR. This should also be coupled with Certified Information Privacy Manager to allow for both operational (CIPP/E) and design elements to be managed.
This all ties in nicely with what is expected from your vendors as well! Since you are entrusting your data to the cloud you need to know that these standards are being taken just as seriously by your provider. Your DPO must coordinate with the DPO from your provider to ensure that the Controller/Processor governance is in place, that reporting as needed by your organisation to prove adherence is being performed at your data is properly being secured. Your cloud provider should not be a blackbox; controls should be aligned between the DPO’s and that takes understanding of not just GDPR but ISO, Penetration Testing, encryption and other standards. Transparency should be offered not demanded by consumers of cloud services.
But what if a DPO doesn’t hold these certifications? Currently the guidance does not say, however, with fines that are global, it would be a much safer path to find a professional that does understand the legal requirements of the EU, have both operational and design experience and also maintains their certifications. Ultimately, ignorance of law excuses no one and, in this case, there is just far too much to lose for non-compliance.
Frank Krieger, Director of Compliance, iland