Webinar: Deep Dive into the Role of the DPO under the GDPR

Similar documents
DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

Paul Jordan Thursday 12 October,

Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance

GDPR Readiness: Role of the DPO

Firm Creobis, Berchem, results 7 March 2017

ARTICLE 29 DATA PROTECTION WORKING PARTY

Briefing No. 2 GDPR. 1 mccann fitzgerald

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

Comments by the Centre for Information Policy Leadership. on the Article 29 Data Protection Working Party s

JOB DESCRIPTION: Hospitality Data Protection Officer

GDPR Webinar 1: Overview of Preparing for the GDPR. T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop.

Robert Bond Partner 3/13/2015. EU Data Protection Officer: Roles and responsibilities

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

WSGR Getting Ready for the GDPR Series

What do companies need to do?

GDPR: AN OVERVIEW.

CIPL and its GDPR Project Stakeholders Discuss DPOs and Risk under GDPR

General Data Protection Regulation. Jim Sneddon GDPR-P, CISSP

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

Auditing of Swedish Enterprises and Organisations

BOARD OF DIRECTORS CHARTER

GDPR: Are You Ready? Mapping the Road to GDPR Compliance. March 2018

GDPR Privacy notice for Students

The One Stop Shop Working in Practice

12 STEPS TO PREPARE FOR THE GDPR

GDPR is coming in 108 days: Are you ready?

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

GDPR journey: from ready to compliant GDPR survey results

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

Anheuser-Busch Companies, Inc. Audit Committee Charter

Preparing for the GDPR

BOARD OF DIRECTORS MANDATE

W h i t t l e s C h a r t e r e d A c c o u n t a n t s

PRIVACY NOTICE May 2018

ARTICLE 29 Data Protection Working Party

Preparing Your Vendor Agreements for the General Data Protection Regulation

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

General Data Protection Regulation (GDPR)

GENERAL DATA PROTECTION REGULATION Guidance Notes

Getting Ready for the GDPR

The data protection rules require that personal information we hold about you must be:-

RBA Online Privacy Notice for

GOPRO, INC. CORPORATE GOVERNANCE GUIDELINES. (Adopted May 1, 2014 and effective as of GoPro, Inc. s initial public offering; revised August 4, 2015)

GDPR Compliance Checklist

FARMER BROS. CO. CORPORATE GOVERNANCE GUIDELINES (Adopted February 1, 2017)

Contract Services Europe Privacy Notice

General Data Protection Regulation ( GDPR ) National Care Forum How Boards Manage GDPR Compliance & Risks. By Meena Lekhi, Associate

Call-Off Contract. Legal Consultancy Services Framework Call-Off Number DCCT0012 Legal consultancy on GDPR. Version: V1.0

GPDR: Privacy Statement Last updated April How your personal information is used by Allander Print Limited.

Paul Vane Acting Information Commissioner

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

General Data Protection Regulation

Stolle Europe Introduction Important information and who we are Controller and contact information Complaints

Board Chair Charter. 1. About the Charter. 2. Composition. Purpose

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Our position. AmCham EU Comments on the Working Party 29 guidelines on data Protection Impact Assessment (DPIA)

Customer Advocacy. Complaints Management Policy

Foreword... 3 Executive Summary... 4 Survey Results and Key Findings GDPR Impact, Organisational Readiness & Resources...

ARTICLE 29 DATA PROTECTION WORKING PARTY

POLARIS INDUSTRIES INC.

Audit and Risk Committee Charter

GUIDE TO CORPORATE GOVERNANCE OF THE BOARD OF DIRECTORS

EU General Data Protection Regulation (GDPR)

BOARD CHARTER TOURISM HOLDINGS LIMITED

GDPR: A PRAGMATIC APPROACH

TERMS OF REFERENCE OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

F5 NETWORKS, INC. CORPORATE GOVERNANCE GUIDELINES (as of July 10, 2015)

GDPR Compliance Benchmarking: Measuring Accountability

The Growth Company Group Privacy Notice

Terms of Reference for the Management Board of Deutsche Bank Aktiengesellschaft in accordance with the Supervisory Board resolution as of 25 May 2018

AUDIT COMMITTEE CHARTER AS AMENDED AS OF MAY 6, 2015

Guidance on the General Data Protection Regulation: (1) Getting started

Guidelines on the management body of market operators and data reporting services providers

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

BOARD CHARTER JUNE Energy Action Limited ABN

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

Data Protection Officer

One unified law that applies directly to all EEA member states. Text of the Regulation -

Corporate Governance Principles

PRIVACY STATEMENT Date: 25 May 2018

PRIVACY STATEMENT Date: 25 May 2018

1.4. The chairperson should be an independent, non-executive director.

EU General Data Protection Regulation: are you ready?

Will Your Company Pass a Privacy Audit?

GDPR: What Every MSP Needs to Know

A PRACTICAL GUIDE TO GDPR BREACH NOTIFICATION AND SECURITY REQUIREMENTS

MALIN CORPORATION PLC CORPORATE GOVERNANCE GUIDELINES. Adopted on 3 March 2015 and Amended on 26 May 2015

Audit and Risk Committee Charter POL-00053

Audit and Risk Committee Charter POL-00053

General Data Protection Regulation

Agenda. What is the GDPR? Who does GDPR apply to? Implications of Non-Compliance The Road to GDPR Compliance

CODE OF CORPORATE GOVERNANCE 2010

FRONTERA ENERGY CORPORATION CORPORATE GOVERNANCE POLICY

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

Board Charter POL-00007

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

Data Protection in schools and colleges: Questions from the Governing Board/Trustees/Directors

Data protection (GDPR) policy

ACCENTURE BINDING CORPORATE RULES ( BCR )

GDPR: An Evolution, Not a Revolution

Transcription:

Webinar: Deep Dive into the Role of the DPO under the GDPR Wednesday, 22 June 2016 11:00 AM US EDT Use the chat box to ask questions. www.informationpolicycentre.com 1

Webinar Agenda Use the chat box to ask questions. Introduction and Overview of the Role of the DPO in the GDPR Bojana Bellamy, President, CIPL Guest Presentations: 1. DPO and Accountability (Nathalie Laneret, Group Data Protection Officer, Capgemini) Mandatory and voluntary DPOs: appointment and roles Knowledge, skills and abilities of DPOs Relationship with European data protection authorities ( EU DPAs ) 2. DPO Tasks (Tracy Ann Kosa, Compliance Director, Microsoft) Main DPO tasks. Is the DPO role a compliance as well as strategic data governance role? Timely" and "proper" involvement and access to resources obligations 3. DPO Independence and No Conflict (Cecilia Álvarez, European Data Protection Officer Lead, Spain Legal Director, Pfizer) DPO independence No conflict obligations Q&A Discussion Common guest topics: Natural/Legal persons, internal vs. external, and protected employment status of DPO Geographic location of DPO (including Group DPO) viz main establishment/lead authority DPO liability (e.g. criminal, administrative and corporate) www.informationpolicycentre.com 2

Mandatory DPO under GDPR Use the chat box to ask questions. Mandatory DPO for controllers and processors: a) If the processing is carried out by a public authority or body; b) Core activities (taking into account their scope and/or purposes) involve systematic and regular monitoring of data subjects on a large scale; c) Core activities involve large scale processing of sensitive data and personal data relating to criminal convictions and offences; or d) Mandated by Member States. www.informationpolicycentre.com 3

DPO Requirements (1) DPO can be an employee, external consultant, or collective DPO for an industry association May be a single DPO for a group of undertakings Name/contact details communicated to EU DPA & publicly available DPO selection criteria: Professional qualities in particular expert knowledge of data protection law and practices and ability to fulfil DPO tasks; and Necessary expert knowledge level: dependent upon processing operations and the level of protection required for the data. DPO independence: Protected employment status; No instructions from company on DPO tasks; and Perform tasks in an independent manner ; Qualification of the independence criteria requirement for DPO to report to highest management www.informationpolicycentre.com 4

DPO Requirements (2) DPO duties of secrecy or confidentiality Duties of organisations towards DPOs: Timely and proper DPO involvement in data protection matters; Support DPO by a) Providing access to resources necessary to carry out their tasks b) Giving access to data and processing operations c) Maintaining their expert knowledge No conflict of interests when DPO undertakes non-dpo tasks. www.informationpolicycentre.com 5

Tasks of DPO Inform and train: make their organisations aware of their data protection obligations and responsibilities; Advise: provide organisations advice on data protection laws and in particular advice on data protection impact assessments, risk and accountability; Monitor: monitor compliance with data protection laws and relevant company policies; Co-operate and consult: with EU DPAs on relevant data privacy matters (e.g. complaint-handling, investigation etc.) Contact point for EU DPAs: on processing issues including prior consultation; and Contact point for data subjects : Individuals may contact DPO on all processing issues and exercise their GDPR rights. Overarching DPO obligation to consider the risks associated with the processing operations when undertaking their DPO tasks, taking into account the nature, scope, context and purposes of processing. www.informationpolicycentre.com 6

DPO and Accountability Nathalie Laneret Group Data Protection Officer, Capgemini www.informationpolicycentre.com 7

DPO and Accountability (1) Use the chat box to ask questions. Mandatory and Voluntary DPO DPO and accountability Canadian DPA Accountability Paper (2012) https://www.priv.gc.ca/information/guide/2012/gl_acc_201204_e.pdf WP 173 on the principle of accountability (2010) http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp173_en.pdf WP 153 on elements and principles to be found in BCR (2008) http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/files/2008/wp153_en.pdf DPO and risk Article 37.1 GDPR (DPO) Article 35.3 GDPR (DPAI) DPO and administrative sanctions Article 83.4 (a) GDPR Article 83.2 (k) GDPR DPO and flexibility www.informationpolicycentre.com 8

DPO and Accountability (2) Use the chat box to ask questions. Knowledge, skills and abilities of the DPO (Articles 37.5 and 39 GDPR) DPO as legal counsel DPO as compliance officer DPO as IT/security specialist DPO as risk manager DPO as program manager DPO as communication manager Relationship with EU DPAs Article 39 (d) & (e) GDPR on DPO tasks Article 58.1 & 2 GDPR on investigative and corrective powers of DPA www.informationpolicycentre.com 9

DPO Tasks Tracy Ann Kosa Compliance Director, Microsoft www.informationpolicycentre.com 10

DPO Functions Privacy Program Drive Business Planning Risk Mitigation Quantify the ROI Privacy Compliance Evidence of Compliance Regulatory Inquiry Assist in Unblocking Sales

Program Tasks Risk Assessment Strategy Design / Infrastructure Documentation Incident Management Training www.informationpolicycentre.com 12

DPO Role Details # DPO Accountability Business Activities Testable Control for Compliance 1 A company-wide privacy program Business leader as privacy champion Role specific accountabilities Documented R&Rs Min. qualifications 2 Documentation reflecting applicable laws and regulations Feedback cycle Environmental monitoring Requirements database Documented change management 3 Supplier management incorporates privacy 4 Privacy reviews; impact assessments are completed Agreements, training, audits Standard contract usage Access commensurate with rating Documented methodology and sign off Evidence of completed reviews 5 Company-wide privacy training and awareness 6 Privacy is incorporated to incident management 7 A data inventory of all personal information (employee and customer) 8 Contributing to risk management for the business as it pertains to privacy 9 Requirements are monitored for changes that affect the business Role base training developed, updated and delivered regularly R&R are assigned and documented; response plan is implemented, reviewed and tested Consistent data classification is applied to inventory Ongoing monitoring and assessment of the business privacy risk Business practices are updated in response to changing requirements Documentation is updated accordingly Training completion records Distribution of awareness materials Incident related documentation kept Notification requirements are documented Data inventory Data classification Baseline privacy risk categories and register Current requirements log/tracker www.informationpolicycentre.com 13

DPO Independence and No Conflict Cecilia Álvarez European Data Protection Officer Lead, Spain Legal Director, Pfizer www.informationpolicycentre.com 14

DPO Independence 25.11.2010: Resolution of the German DPAs responsible for the private sector on the minimum requirements for the (qualifications and) independence of company DPOs: 17.12.2012: EPD Report on the Status of Data Protection Officers Could we agree? www.informationpolicycentre.com 15

DPO Independence A DPO IS NOT: - a DPA - data subjects representative - the CEO! A DPO must be able to combine INTEGRITY & LOYALTY: - Knowledge - Status * high reporting line * operational and financial autonomy - Protection/no penalties to carry out his/her work properly: * Objective reasons to withdraw his/her appointment * Protection against individual liability * Insurance coverage * Others? www.informationpolicycentre.com 16

Conflicts of Interest? Internal DPOs - Part-time DPO - Board of Directors Member External DPO - Legal advisors to an organisation also operating as the organisation's DPO - Strategic DPO role and advice to several clients of the same sector or engaged in the same transaction www.informationpolicycentre.com 17

Q&A Discussion 1. DPO and Accountability (Nathalie Laneret, Group Data Protection Officer, Capgemini nathalie.laneret@capgemini.com) Mandatory and voluntary DPOs: appointment and roles Knowledge, skills and abilities of DPOs Relationship with European data protection authorities ( EU DPAs ) 2. DPO Tasks (Tracy Ann Kosa, Compliance Director, Microsoft - trako@microsoft.com) Main DPO tasks. Is the DPO role a compliance as well as strategic data governance role? Timely" and "proper" involvement and access to resources obligations 3. DPO Independence and No Conflict (Cecilia Álvarez, European Data Protection Officer Lead, Spain Legal Director, Pfizer cecilia.alvarez@pfizer.com) DPO independence No conflict obligations Common guest topics: Natural/Legal persons, internal vs. external, and protected employment status of DPO Geographic location of DPO (including Group DPO) viz main establishment/lead authority DPO liability (e.g. criminal, administrative and corporate) 2016 The Centre for Information Policy Leadership (CIPL) at Hunton & Williams LLP. The content of this message contains the views of CIPL and does not represent the opinion of either its individual members or Hunton & Williams LLP. The views expressed in any attached or linked recordings represent the views of the individual correspondents reporting on behalf of CIPL and should not be construed as the views of Hunton & Williams LLP or any of its clients. CIPL does not provide legal advice. These materials have been prepared for informational purposes only and are not legal advice, nor is this information intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based solely upon these materials. Please do not send us confidential information.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback