Paul Jordan Thursday 12 October,

Similar documents
GDPR Readiness: Role of the DPO

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

Briefing No. 2 GDPR. 1 mccann fitzgerald

Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance

GDPR: AN OVERVIEW.

ARTICLE 29 DATA PROTECTION WORKING PARTY

GENERAL DATA PROTECTION REGULATION Guidance Notes

Firm Creobis, Berchem, results 7 March 2017

What do companies need to do?

Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) A brief guide

GDPR: Are You Ready? Mapping the Road to GDPR Compliance. March 2018

Webinar: Deep Dive into the Role of the DPO under the GDPR

The Data Protection Officer

Our position. AmCham EU Comments on the Working Party 29 guidelines on data Protection Impact Assessment (DPIA)

WSGR Getting Ready for the GDPR Series

The GDPR enforcement deadline is looming are you ready?

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

12 STEPS TO PREPARE FOR THE GDPR

GDPR Webinar 1: Overview of Preparing for the GDPR. T-Minus 441 Days (March 9, 2017) Presenter: Peter Blenkinsop.

JOB DESCRIPTION: Hospitality Data Protection Officer

Lisbon, 17 May Agustín Puente Escobar State Counsel Head of the Legal Cabinet. Agencia Española de Protección de Datos

Robert Bond Partner 3/13/2015. EU Data Protection Officer: Roles and responsibilities

Preparing Your Vendor Agreements for the General Data Protection Regulation

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

General Data Protection Regulation

European Union General Data Protection Regulation 2016 (Effective 25 May 2018)

Preparing for the GDPR

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

GDPR journey: from ready to compliant GDPR survey results

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

CNPD Training: Data Protection Basics

Data Protection in schools and colleges: Questions from the Governing Board/Trustees/Directors

ECDPO 1: Preparing for the EU General Data Protection Regulation

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

NEWSFLASH GDPR N 10 - New Data Protection Obligations

Accountability under the GDPR: What does it mean for Boards & Senior Management?

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

EU General Data Protection Regulation in the digital age: Are you ready?

EU data protection reform

Genera Data Protection Regulation and the Public Sector

GDPR The role of the Internal Audit Function

EU General Data Protection Regulation: are you ready?

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Getting Ready for the GDPR

The data protection rules require that personal information we hold about you must be:-

closer look at Definitions The General Data Protection Regulation

A COMPANION DOCUMENT TO THE GDPR READINESS DECISION TREE QUESTIONS AND ANALYSIS. April 19, 2017

Data Protection: reform for SMEs, not at their expense

GDPR is coming soon. Are you ready. Steven Ringelberg.

Preparing for the General Data Protection Regulation (GDPR)

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

What is GDPR and Should You Care?

Paul Vane Acting Information Commissioner

New EU-GDPR: Challenges for Universities and Research Organisations

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

ECDPO 1: Preparing for the EU General Data Protection Regulation

GDPR Compliance Benchmarking: Measuring Accountability

EU General Data Protection Regulation (GDPR)

General Data Protection Regulation - Explained

GDPR for whom it may concern

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

The Privacy Battlefield What does the GDPR Require?

Data Flow Mapping and the EU GDPR

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds

The Revised DPA: What To Expect

The General Data Protection Regulation (GDPR)

TEL: +44 (0)

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Public Consultation. Draft List of types of Data Processing Operations which require a Data Protection Impact Assessment.

GDPR factsheet Key provisions and steps for compliance

Xerox Privacy Notice: Rights of data subjects pursuant to the General Data Protection Regulation

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

GDPR: An Evolution, Not a Revolution

DATA PROTECTION POLICY

Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1

Fat Beehive What does GDPR mean for small/medium charities?

ARTICLE 29 Data Protection Working Party

Information Commissioner s Office. Consultation: GDPR DPIA guidance

ARTICLE 29 DATA PROTECTION WORKING PARTY

December 28, 2018, New Delhi, INDIA

GDPR & SMART PIA. Wageningen University Feb 2017

GDPR. The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

Data Protection (internal) Audit prior to May (In preparation for that date)

Introduction to the General Data Protection Regulation (GDPR)

Guidance on the General Data Protection Regulation: (1) Getting started

The GDPR and its requirements for implementing data protection impact assessments (DPIAs)

A summary of the implications of the General Data Protection Regulations (GDPR)

GDPR POLICY. This policy complies with the requirements set out in the GDPR, which will come into effect on

Data Protection Management System for GDPR compliance - using COBIT. January 2018

The EU GDPR: How Can Information. Governance Policies Help? The EU GDPR:

EU GENERAL DATA PROTECTION REGULATION

Pensions Authority Data Protection Considerations for Trustees of Occupational Pension Schemes

THE PAINSLEY CATHOLIC ACADEMY. GDPR Data Protection Impact Assessment Policy

Transcription:

GDPR Readiness: Role of the DPO OXS 17 Brussels Paul Jordan Thursday 12 October, 2017

Overview General DPO requirements under the GDPR: legitimacy of the DPO role International Research findings in Data Protection 2

The growth of an industry 3

Data Protection Officers Art. 37 39 Data Protection Officers (Art. 37 39) are to ensure compliance within organisations (and supply chains). They have to be appointed for all public authorities and for companies where the core activities : - regularly and systematically monitor data subjects on a large scale, or - process on a large scale special categories of data (Art. 9 and 10). 4

DPD SECTION IX NOTIFICATION Article 18 Obligation to notify the supervisory authority 1. ( ) 2. Member States may provide for the simplification of or exemption from notification only in the following cases and under the following conditions: ( ) Where the controller, in compliance with the national law which governs him, appoints a personal data protection official, responsible in particular: for ensuring in an independent manner the internal application of the national provisions taken pursuant to this Directive for keeping the register of processing operations carried out by the controller, containing the items of information referred to in Article 21 (2), thereby ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations. Article 20 Prior checking 1. ( ) 2. Such prior checks shall be carried out by the supervisory authority following receipt of a notification from the controller or by the data protection official, who, in cases of doubt, must consult the supervisory authority. GDPR SECTION 4 DATA PROTECTION OFFICER Article 37 Designation of the data protection officer 1. The controller and the processor shall designate a data protection officer in any case where: a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 5

Data Protection Officers Nature and challenges The DPO is similar but not the same as a Compliance Officer as they are also expected to be proficient at managing IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data. The skill set required stretches beyond understanding legal compliance with data protection laws and regulations. Monitoring of DPOs will be the responsibility of the Regulator rather than the Board of Directors of the organisation that employs the DPO: the independence factor. Internally, the DPO will need to create their own support team and will also be responsible for their own continuing professional development as they need to be relatively independent of the organisation that employs them, effectively acting as a business enabler within organisations. 6

7

Data Protection Officer Qualifications Art. 37 (5): The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. Certifications: CIPP/E (EU data protection legislation), CIPM (data protection practices, [D]PIAs, Program mgt) Further qualifications & continuous education 8

Data Protection Officer Responsibilities (Art. 39) Counsel the entity in regard to applicable data protection laws Monitor compliance with applicable data protection provisions and alignment with internal policies, including the assignment of responsibilities Awareness-raising and training of staff involved in the processing operations Conduction of data protection audits and [D]PIAs Cooperate and communicate with the responsible regulatory authority 9

Data Protection Officer Data Protection Risk Management (Art. 39 (2)): The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. 10

Privacy Risks Data Loss Individuals Rights Notice and Consent Data Usage Data Transfers Third Parties Overretention of data

Key Risk Impacts Financial Impact Regulatory Impact Reputational Impact

Data Protection Officer Positioning in the company (Art. 38) (1) Proper and timely involvement in all relevant aspects to be ensured by the controller (2) Support by sufficient resources and access to data and systems and allowance of further qualification (3) Independence of instructions and protection against sanctioning by controller as employer (4) Point of contact for data subjects (5) Professional secrecy and interest protection 13

Accountability & GDPR Accountability is a Key Principle The new accountability principle in Article 5(2) requires the controller to demonstrate compliance with the principles relating to personal data and states explicitly that this is the controllers responsibility

Demonstrating Accountability ****** Demonstrate compliance by implementing appropriate technical and organisational measures Maintain relevant documentation Implementing measures that meet principles of data protection by design and data protection by default Appoint a data protection officer, if appropriate

Outsourcing the DPO? Shared and external DPOs (Art. 37 (2)): A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. (Art. 37 (6)): The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. 16

CPO vs. DPO Considerations Is this mandatory DPO the lead data protection and privacy voice in the organisation? Does the DPO s role in working with the regulator make it difficult for the DPO to engage in high-level strategic conversations? Would appointing external counsel as DPO create conflict when working with the lead privacy voice in the organisation? Remember Art. 38 (3): The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. 17

18

19

20

21

22

23

For questions or to request additional information: Paul Jordan Managing Director, Europe, IAPP pjordan@iapp.org +32.(0)2.761.66.86 24

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback