Robert Bond Partner 3/13/2015. EU Data Protection Officer: Roles and responsibilities

Size: px

Start display at page:

Download "Robert Bond Partner 3/13/2015. EU Data Protection Officer: Roles and responsibilities"

Preston Cummings
5 years ago
Views:

EU Data Protection Officer: Roles and responsibilities Robert Bond, CCEP Head of Data Protection and Cyber Security Law and DPO charlesrussellspeechlys.

He also provides international notarial services and compliance advice.

1 EU Data Protection Officer: Roles and responsibilities Robert Bond, CCEP Head of Data Protection and Cyber Security Law and DPO charlesrussellspeechlys.com Robert Bond Partner Robert Bond has over 36 years' experience in advising national and international clients on all of their commercial IP, technology and data protection requirements. He also provides international notarial services and compliance advice. He is a legal expert and author in the fields of e-commerce, computer games, media and publishing, data protection, information security and cyber risks. He is named in the National Law Journal's list of 50 Governance Risk & Compliance Trailblazers, listed in the top 10 in the Who s Who of Information Technology Lawyers 2014 and also in "Best Lawyers in UK Tel: +44 (0) robert.bond@crsblaw.com "He continues to impress year on year. His spark of imagination and ability to grasp the technology is amazing." Chambers UK,

2 Data protection is at the heart of any business Reporting and Discovery Commercial Contracts Big Data Outsourcing / Cloud M & A PERSONAL DATA Investigations & Claims Employment Social media Global Presence s Corporate Restructuring 2

OUR EXPERIENCE We have advised clients on all matters pertaining to data protection, including: Rolling out comprehensive, global data privacy programmes and policies for multinationals Training:

3 OUR EXPERIENCE We have advised clients on all matters pertaining to data protection, including: Rolling out comprehensive, global data privacy programmes and policies for multinationals Training: face-to-face, via webinars and tailored e-learning modules International data transfer solutions Data breaches and cyber incidents Employee monitoring The implications of data privacy on marketing strategies Cookies and similar technologies Data retention and destruction Subject access requests Social media and Bring Your Own Device Big Data and IoT Telemetry technology Outsourcing contracts Data protection in the procurement process Data protection issues in relation to corporate transactions and due diligence Privacy Impact Assessments Notifications/filings with data protection authorities 5 Current DPO position in Europe Some jurisdictions require the appointment of a Data Protection Officer (DPO), e.g. Germany, Belgium, Hungary, Slovakia, Russia, Poland The DPO is empowered to ensure the company is compliant with all aspects of applicable data protection laws and regulations The DPO may be notified to the relevant data protection authority in some jurisdictions The EU Data Protection Regulation will require all but the smallest companies to appoint a DPO 6 3

Responsibilities: Notification / Registration Notifying the relevant Data Protection Authority of the company s data processing activities Keeping notifications updated from time to time Maintaining

Authority 7 Data Protection notifications, filings and registrations what is this?

4 Responsibilities: Notification / Registration Notifying the relevant Data Protection Authority of the company s data processing activities Keeping notifications updated from time to time Maintaining separate notifications in respect of all data processing entities within the corporate group Making any necessary filings in relation to international data transfers with the Data Protection Authority 7 Data Protection notifications, filings and registrations what is this? More than a tick the box exercise More than a bureacratic formality Purpose To assist the Data Protection Authorities (DPAs) enforcing the data protection law You must be fully informed to present a registration/notification Types of notifications: Prior registration of processing operations Prior checking of processing operations Notification of breaches to the DPA Notification of breaches to the data subjects Other types of notifications / requests for authorisation 8 4

departments in respect of changes to processing activities such as HR in relation to staff leaving, interviews and recruitment, new members of staff, subcontractors To provide advice to the company,

5 Responsibilities: Managing data controllers and data processors To monitor the activities of all data controllers within the corporate group (e.g. HR, sales and marketing, procurement functions) Liaison with relevant departments in respect of changes to processing activities such as HR in relation to staff leaving, interviews and recruitment, new members of staff, subcontractors To provide advice to the company, the board and staff on compliance To manage data processors on behalf of the company To monitor any outsourcing of data processing activities to third party processors To ensure third party data processors enter into suitable contracts to ensure compliance with applicable data protection rules To define information security and data handling practices to be observed by third party data processors 9 Responsibilities: Policies, Procedures and Practices To provide guidelines to the company board and members of staff To provide guidelines to new members of staff To provide guidelines to contractors and third parties using company information HR liaison in relation to policies, procedures and practices specifically for members of staff, interviewees and job applicants Liaison with IT department in relation to developing policies, procedures and practices for information security, data handling, outsourcing and monitoring To liaise with sales and marketing to ensure compliance with applicable law and regulations for marketing, advertising and PR 10 5

Responsibilities: Training To provide facilities for training/raise awareness of existing staff, new staff and the Board To advise and coordinate in-house training by departments and groups To

Subject Access Requests Initial point of contact for employees in relation to Subject Access Requests To raise employees awareness of Subject Access Requests and the importance of a timely response

6 Responsibilities: Training To provide facilities for training/raise awareness of existing staff, new staff and the Board To advise and coordinate in-house training by departments and groups To produce regular articles to update on new legislation and guidelines To raise awareness of new developments as they emerge 11 Responsibilities: Subject Access Requests To manage and administer Subject Access Requests Initial point of contact for employees in relation to Subject Access Requests To raise employees awareness of Subject Access Requests and the importance of a timely response To ensure responses to Subject Access Requests comply with the law (in the appropriate time frames) To provide the company board and staff with policies, procedures and practices in relation to compliance with Subject Access Requests and where applicable freedom of information access requests 12 6

Responsibilities: Audit To regularly audit for compliance with applicable legislation and regulations To advise the company of any changes to policies, procedures and practices as a result of any

7 Responsibilities: Audit To regularly audit for compliance with applicable legislation and regulations To advise the company of any changes to policies, procedures and practices as a result of any annual audit To implement any authorised changes to policies, procedures and practices resulting from an audit To consider where necessary the use of specialist advisors in relation to audit and compliance 13 What the future holds 14 7

month period Who carry out activities involving regular and systematic monitoring of

8 EU DATA PROTECTION OFFICER WHEN Obligation to appoint a DPO Controllers and processors Who are public authorities or bodies Who process personal data of more than 5000 individuals per 12 month period Who carry out activities involving regular and systematic monitoring of individuals Who process special categories of personal data Group of undertakings may appoint a single DPO 16 8

EU DATA PROTECTION OFFICER WHO AND HOW Data Protection Officers chosen for their professional qualities Expert knowledge of data protection law and practices, including: Technical & organisations

sensitivity of the data processed Ability to carry out inspections, consultation, documentation and log file analysis Ability to work with employees representation Organisation must enable the DPO to

9 EU DATA PROTECTION OFFICER WHO AND HOW Data Protection Officers chosen for their professional qualities Expert knowledge of data protection law and practices, including: Technical & organisations measures & procedures Mastery of technical requirements for privacy by design, by default and data security Industry specific knowledge in accordance with The size of the controller or processor The sensitivity of the data processed Ability to carry out inspections, consultation, documentation and log file analysis Ability to work with employees representation Organisation must enable the DPO to take part in advanced training measures to maintain specialised knowledge 17 EU DATA PROTECTION OFFICER TASKS AND FORMALITIES Tasks trusted adviser or police? Raise awareness Monitor implementation and applicability of the policies Monitor implementation and applicability of the Regulation Ensure mandatory documentation is maintained Monitor, the documentation, notification and communication of data breaches Monitor privacy impact assessment and prior consultation Monitor responses to the Data Protection Authorities Contact point to the Data Protection Authorities Inform employees representatives on employees data processing Verify compliance with this Regulation Appointed for 4 years (employee) or 2 years (service provider) There is a catch DPOs will be protected employees! 18 9

OBLIGATION TO MAINTAIN DOCUMENTATION ACCOUNTABILITY PRINCIPLE Organisations must keep appropriate policies & procedures such as data retention and data management Policies & procedures reviewed at

10 OBLIGATION TO MAINTAIN DOCUMENTATION ACCOUNTABILITY PRINCIPLE Organisations must keep appropriate policies & procedures such as data retention and data management Policies & procedures reviewed at least every two years Reports of the activities of the controller shall contain summary of policies & procedures Documentation must also contain: Name & contact details of the controller, joint controller, processor and representative Name & contact details of the DPO Name & contact details of controllers to whom personal data is disclosed 19 The Proposed EU Data Protection Regulation Remedies and sanctions Fines of up to 5% of annual worldwide turnover may be imposed for non-compliance and without notice investigations Criteria to set out the level of fine will include the degree of technical and organisational security measures and procedures implemented to: Data protection by design and by default Security of processing Data protection impact assessment Data protection compliance review Designation of the Data Protection Officer 20 10

11 Questions? 22 11

12 charlesrussellspeechlys.com 12