www.iapp.org

GDPR Readiness: Role of the DPOEDAA Summit 2017 – London Paul JordanTuesday 28 November, 2017

www.iapp.org2

Overview

• GeneralDPOrequirementsundertheGDPR:legitimacyoftheDPOrole

• InternationalResearchfindingsinDataProtection

www.iapp.org3

The growth of an industry

www.iapp.org4

DataProtectionOfficers(Art.37–39)aretoensurecompliancewithinorganisations.Theyhavetobeappointedforallpublicauthoritiesandforcompanieswherethe“coreactivities”:

- regularlyandsystematicallymonitordatasubjectsonalargescale,or

- processonalargescalespecialcategoriesofdata(Art.9and10).

Data Protection OfficersArt. 37–39

www.iapp.org5

- CoreActivities:Keyoperationsnecessarytoachievebusinessgoals+processingwhichformsaninextricablepartofthebusinessactivity.

- LargeScale:Recital91mentions“processingoperationswhichaimtoprocessconsiderableamountsofpersonaldataatnational,regionalorsupranationallevelwhichcouldaffectalargenumberofdatasubjectsandwhicharelikelytoresultinahighrisk”.

What does ‘core activities’ and ‘large scale’ mean?

www.iapp.org

DPD

6

SECTIONIXNOTIFICATIONArticle18Obligationtonotifythesupervisoryauthority

1. (…)2. MemberStatesmayprovideforthesimplificationoforexemption

fromnotificationonlyinthefollowingcasesandunderthefollowingconditions:• (…)• Wherethecontroller,incompliancewiththenationallawwhich

governshim,appointsapersonaldataprotectionofficial,responsibleinparticular:•forensuringinanindependentmannertheinternalapplicationofthenationalprovisionstakenpursuanttothisDirective•forkeepingtheregisterofprocessingoperationscarriedoutbythecontroller,containingtheitemsofinformationreferredtoinArticle21(2),therebyensuringthattherightsandfreedomsofthedatasubjectsareunlikelytobeadverselyaffectedbytheprocessingoperations.

Article20Priorchecking1. (…)2. Suchpriorchecksshallbecarriedoutbythesupervisoryauthority

followingreceiptofanotificationfromthecontrollerorbythedataprotectionofficial,who,incasesofdoubt,mustconsultthesupervisoryauthority.

SECTION4DATAPROTECTIONOFFICERArticle37Designationofthedataprotectionofficer

1. Thecontrollerandtheprocessorshalldesignateadataprotectionofficerinanycasewhere:

a) theprocessingiscarriedoutbyapublicauthorityorbody,exceptforcourtsactingintheirjudicialcapacity;

b) thecoreactivitiesofthecontrollerortheprocessorconsistofprocessingoperationswhich,byvirtueoftheirnature,theirscopeand/ortheirpurposes, requireregularandsystematicmonitoringofdatasubjectsonalargescale;or

c) thecoreactivitiesofthecontrollerortheprocessorconsistofprocessingonalargescaleofspecialcategoriesofdatapursuanttoArticle9andpersonaldatarelatingtocriminalconvictionsandoffencesreferredtoinArticle10.

GDPR

www.iapp.org

Data Protection Officers

7

Nature and challenges• TheDPOissimilarbutnotthesameasaComplianceOfficerastheyarealsoexpected

tobeproficientatmanagingITprocesses,datasecurity(includingdealingwithcyber-attacks)andothercriticalbusinesscontinuityissuesaroundtheholdingandprocessingofpersonalandsensitivedata.Theskillsetrequiredstretchesbeyondunderstandinglegalcompliancewithdataprotectionlawsandregulations.

• MonitoringofDPOswillbetheresponsibilityoftheRegulatorratherthantheBoardofDirectorsoftheorganisation thatemploystheDPO:theindependencefactor.

• Internally,theDPOwillneedtocreatetheirownsupportteamandwillalsoberesponsiblefortheirowncontinuingprofessionaldevelopmentastheyneedtoberelativelyindependentoftheorganisation thatemploysthem,effectivelyactingasa‘businessenabler’withinorganisations.

www.iapp.org8

www.iapp.org

Data Protection Officer

9

Qualifications

Art.37(5):‘Thedataprotectionofficershallbedesignatedonthebasisofprofessionalqualitiesand,inparticular,expertknowledgeofdataprotectionlawandpracticesandtheabilitytofulfilthetasksreferredtoinArticle39.’

• Certifications:CIPP/E (EUdataprotectionlegislation),CIPM (dataprotectionpractices,[D]PIAs,Programmgt)

• Furtherqualifications&continuouseducation

www.iapp.org10

CIPP/EEU laws and regulations

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPMOperations

The first and only privacy certification for professionals who

manage day-to-day operations

www.iapp.org

Data Protection Officer

11

Responsibilities (Art. 39)• Counsel theentityinregardtoapplicabledataprotectionlaws• Monitor compliancewithapplicabledataprotection(GDPR)provisionsandalignmentwithinternalpolicies, includingtheassignmentofresponsibilities,

• Awareness-raising andtraining ofstaffinvolvedintheprocessingoperations

• Conductionofdataprotectionaudits and[D]PIAs• Cooperateandcommunicatewiththeresponsible regulatoryauthority

www.iapp.org

Data Protection Officer

12

Data Protection Risk Management

(Art.39(2)): ‘Thedataprotectionofficershallintheperformanceofhisorhertaskshavedueregardtotheriskassociatedwithprocessingoperations,takingintoaccountthenature,scope,contextandpurposesofprocessing.’

www.iapp.org

Privacy Risks

NoticeandConsent

Data Loss

Data Usage

Individuals’Rights

DataTransfers

ThirdParties

Over-retentionofdata

13

www.iapp.org

Key Risk Impacts

Financial Impact

Reputational Impact

Regulatory Impact

14

www.iapp.org

Data Protection Officer

15

Positioning in the company (Art. 38)

1) Properandtimelyinvolvementinallrelevantaspectstobeensuredbythecontroller

2) Supportbysufficientresourcesandaccesstodataandsystemsandallowanceoffurtherqualification

3) Independenceofinstructionsandprotectionagainstsanctioningbycontrollerasemployer

4) Pointofcontactfordatasubjects

5) Professionalsecrecyandinterestprotection

www.iapp.org

Accountability & GDPR

Accountability is a Key Principle

The new accountability principle in Article 5(2) requires the controller to demonstrate compliance with the principles relating to personal data and states explicitly that this is the controllers responsibility

16

www.iapp.org

Demonstrating Accountability

******

Demonstrate compliance by implementing

appropriate technical and organisational

measures

Maintain relevant documentation

Appoint a data protection officer,

if appropriate

Implementing measures that

meet principles of data protection by

design and data protection by

default

17

www.iapp.org

Outsourcing the DPO?

18

Shared and external DPOs

(Art.37(2)): ‘Agroupofundertakings mayappointasingledataprotection officer provided thatadataprotection officer iseasilyaccessible fromeachestablishment.’

(Art.37(6)): ‘Thedataprotection officermaybeastaffmemberofthecontroller orprocessor,orfulfilthetasksonthebasisofaservicecontract.’

www.iapp.org

CPO vs. DPO

19

Considerations

• IsthismandatoryDPOtheleaddataprotectionandprivacyvoiceintheorganisation?

• DoestheDPO’sroleinworkingwiththeregulatormakeitdifficultfortheDPOtoengageinhigh-levelstrategicconversations?

• WouldappointingexternalcounselasDPOcreateconflictwhenworkingwiththeleadprivacyvoiceintheorganisation?

• RememberArt.38(3):‘Thecontrollerandprocessor shallensure thatthedataprotectionofficerdoesnotreceiveanyinstructionsregardingtheexerciseofthose tasks.’

www.iapp.org20

www.iapp.org21

www.iapp.org22

www.iapp.org23

www.iapp.org24

www.iapp.org25

www.iapp.org26

www.iapp.org27

www.iapp.org28

For questions or to request additional information:

Paul JordanManaging Director, Europe, IAPPpjordan@iapp.org+32.(0)2.761.66.86www.iapp.org