Advanced GDPR

for DPOs and CDPOs29th March 2018

CPD Ref: 2018-0492

The Practice and Legal Implications of

being a DPO

John Magee

CPD Ref: 2018-0492

Back to Basics: Being a DPO

“…the DPO is a cornerstone of accountability… In addition

to facilitating compliance through the implementation of

accountability tools (such as facilitating data protection

impact assessments and carrying out or facilitating audits),

DPOs act as intermediaries between relevant stakeholders

(e.g. supervisory authorities, data subjects, and business

units within an organisation).”

• a source of wise counsel;

• a liaison person;

• a strategist;

• a discussion partner;

• a record keeper;

• a supervisor;

• a legal expert;

• a data security expert;

• an independent thinker; and

• in touch with the Force (i.e. the Data Protection

Commissioner).

The all-seeing, all-knowing DPO must be:

Expertise, Skills and Professional

Qualities

• The DPO must have the requisite expertise and professional qualifications.

• Expertise must be commensurate with the sensitivity, complexity and

amount of personal data an organisation processes – so know what

personal data your organisation processes and the ways in which it

processes personal data.

• The DPO should have:

– comprehensive knowledge of the GDPR and other applicable national

and European data protection laws and practices

– knowledge of the business sector the organisation is operating in

– a good understanding of the processing operations carried out, as well

as the information systems, data security and data protection needs

– a sound knowledge of the administrative rules, procedures and internal

policies of the organisation

Position of the DPO

• The DPO must:

– be involved, in a proper and timely manner, in all

issues relating to the protection of personal data

– be provided with the resources necessary to carry

out functions and to maintain expert knowledge

– not be instructed on how to perform duties

– report to the highest level of management

– maintain independence

– not be dismissed or penalised for performing

tasks

– not become conflicted when fulfilling tasks and

duties

Resources

• DPOs require:

– adequate support in terms of finance,

infrastructure and staff

– sufficient time to fulfil duties

– access to and communication with other

teams/departments, such as HR, legal, IT and

security

– continuous training

Independence & Conflicts of

Interest

• DPOs “should be in a position to perform their

tasks and duties in an independent manner.”

• DPOs must not be instructed to take a certain

view of an issue of data protection law.

• “Although DPOs are allowed to have other

functions, they can only be entrusted with other

duties provided that these do not give rise to

conflicts of interests… Due to the specific

organisational structure in each organisation,

this has to be considered case by case.”

Role as Point of Contact

• The DPO must cooperate with

the supervisory authority and

act as the point of contact

between the supervisory

authority and the organisation.

• The DPO facilitates access by

the supervisory authority to the

documentation and information

it needs to conduct the tasks

listed in Article 57 and 58.

Role in Record Keeping

• Processors and controllers are required to

maintain records of their processing activities.

• In practice DPOs will have a significant role in

record keeping, and will often be expected to:

– create inventories of the types of personal data held

– maintain a register of the processing operations the

organisation is engaged in

– liaise with different departments/elements of the

business to form a centralised view of processing

activities

Data Protection Impact Assessments

• Controllers must seek the advice of

the DPO when conducting a DPIA.

• The DPO must provide advice on

and monitor the performance of the

DPIA.

• If the Controller cannot sufficiently

address the risks identified in the

DPIA, then the Controller (DPO?)

must consult the supervisory

authority.

• Controllers must carry out a DPIA before carrying out processing

which is likely to result in a high risk to the rights and freedoms of

natural persons.

• The DPIA involves assessing the impact of the envisaged

processing operations on the protection of personal data.

DPOs and the Data Protection Bill

2018

• Not yet finalised – currently going through the

Oireachtas.

• The Article 29 Working Party Guidelines state that

“DPOs are not personally responsible for non-

compliance with data protection requirements.”

• Under the Bill, where an offence is proven to have been

committed “with the consent or connivance of or to be

attributable to the neglect on the part of a person, being

a director, manager, secretary or other officer of that

body corporate, … that person, as well as the body

corporate, shall be guilty of that offence and be liable

to be proceeded against and punished accordingly.”

Industry Trends

1. Mandatory DPOs – required under Article 37

2. Voluntary DPOs – beware the WP29 Guidance

3. Group DPOs – must be accessible by all

4. DPO Team – will often be necessary for large

operations

5. Part-Time DPOs – careful: must avoid conflicts of interest

John MageePartner, William Fry

john.magee@williamfry.com

+353 1 489 6532

williamfry.com/privacysource

@WFidea

GDPR In Day to Day Operations

Kevin Sweeney IT Director and DPOCPL Group

Key:

Countries in which Cpl has an office

Countries in which Cpl provides services

One Day

in CPL

Fri Jan 19th

985

new CVs

1116 updated

candidates

1260 applications

370 submital

s

140 interviews

120 secure docs

2664 Candidate

phone

calls

82 perm placement

40 new

payroll starters

29 P45s processed

4500 timesheets

105 jobs

added

Corporate Data Flows for Key Services

Staff – Our Biggest Threat(Naivety over Negligence)

Starters & Leavers

Audited Process to

ensure access

rights are appropriate and current

Induction

Training

All Staff receive 1 hour DP

training in first month

Controls at Work

External email blocks

Application and

Location restrictions

on file extraction

Online Training

and Testing

DP Module for all Staff

Testing must be

completed

Simulated Phishing

Tools

2017 Target tests for 1 month on Top 100

Follow up Reviews with Key teams

Detection

Tools

Email Discovery

Web Monitoring

Perimeter

Protection

Group Firewall

Single Route

Hosted Service

Malware

EndPoint

Protection

Desktop

Windows 10 Rollout

USBs

Software Patching

Weekly release

Urgent Releases

Emails

Protection Rules

Discovery

Phishing/ATP

Mobiles

Group Control

Encryption

External Threat Protection

• Critical milestones, auto tracking and segmentation

Process and Data Automation

• EU locations, file encryption, Annonymisation, Pseudonymisation

Data Transfer and Storage

• Share Drives, Excel sheets, other Cloud apps, Paper Docs

The Other Data Stores

• DPO authority, Sharing rules, Standard Policies

Satellite

Groups

• Supervisory Authority, Due Diligence,

Acquisitions

International Locations

Focus Areas

A Data Protection Officer’s Perspective

Mary Colhoun Director of Data Protection, eir

• DPO – multi-faceted requirements

• Primary demands

• Post May 2018 governance

• May 25th and beyond……

Contents

22

DPO – multi-faceted role!

Operational demands

Day to day queries – across retail, call–centre, network fleet, Head Office environment, FOTs, strategic partners, core network

Strategic demands

ODPC – complaints/sectoral audits/clarifications

Senior Management Team/Shareholders/Board /Investors

23

DPO – multi-faceted role!

Internal demands

Key stakeholder management

Budget

Resources

Recruitment of allies

External demands

Brand

Industry

24

25

Why ? ………Life post May 2018

• DPO should have

knowledge of the business sector the organisation is operating in good understanding of the processing operations carried out – in addition to internal IT systems, data security in

place and data protection needs

• End to end visibility of personal data is key

• Knowledge of the internal procedures and policies (Group?)

• Impact of acquisitions (Setanta Sport)

26

How ? ………Life post May 2018

Data Protection Governance model - what will it look like?

• Adaptation of a standard 3 line of defence model?

First - Operational/Business unit

Second – Legal/Compliance – centralised Data Protection team

Third – Internal Audit (data protection audit capability)

• Why – operational data protection capability “at the coal face”

• Scalability

• ODPC dialogue 27

Who ? ………Life post May 2018

Layered approach –

• Data Protection Liaisons/Champions at Business Unit level

- Specific DP role responsibility (within HR objectives)

- Standard and bespoke additional training

- Certifications – ACOI/IAPP for certain role holders/skill sets (Compliance officers/IT)

• Centralised Data Protection Forum – (Data Protection /Privacy Council)

• Leverage other “Data “ stakeholders – e.g. Data Governance/Digital/Data Officers

28

When ? ………Life post May 2018

• Layered approach to Stakeholder management

- Procurement process

- Vendor management process

- Finance/IT Capex process

- IT development/acquisition process

• Use of sign-offs/standard assessments in decision making chains

(New suppliers/products/uses being put to data)

• Use GDPR Programme analysis to inform where the Data Protection “lens” should sit in the lifecycle – and have a plan/methodology to integrate findings

29

Journey…… post May 2018

• Sectoral issues – e.g. Marketing prosecutions within Telco sector

Audits re retention of call records

• Public issues - Privacy Shield

Facebook/Cambridge Analytica –impact on Data Analytics

• Near misses - Data Security/Suppliers - adapt!

30

31

Thank you

eir.ie

Questions for the panel

submitted/raised in advance of

today’s event.

CPD Ref:2018-0492

Advanced GDPR for DPOs and

CDPOs

DPO Role

1. Conflicts: Can the DPO be an IT staff member? What

about the Art 29 Guidance?

2. Reporting: I will be carrying out the role of DPO in my

organisation - to whom am I likely to have to report

matters on a regular/annual basis?

3. Budgets: In terms of thinking ahead to budgets for

Capex and Opex what should I be including?

4. Multiple DPOs: How do we handle HQ DPO in relation

to local/ overseas DPOs?

Pre-Submitted Questions

Enforcement

5. What aspects of GDPR do the panel expect will be the key

focus for regulatory enforcement post-May?

Data Security & Breach response

6. Does the panel feel that Irish businesses will be ready to

meet the challenge of mandatory breach reporting?

7. Data Security & Email - What’s the impact of doing business

with my own email address or using a client email whilst

working onsite? Encryption of emails – Should all external

emails be encrypted?

Pre-Submitted Questions

Data retention

8. Does GDPR have an impact on Data retention?

9. Any advice on retention generally & email retention in

particular?

Pre-Submitted Questions

Direct marketing

10. Is there any chance that the revised ePrivacy Regulation

will be in force by May?

11. What trends are the panel seeing in relation to how

businesses are approaching issues such as direct

marketing and cookies?

Pre-Submitted Questions

Data subject rights

12. What are the biggest challenges businesses are facing in

implementing procedures to deal with the new and revised

rights - & any advice?

13. Employer references - disclose?

Pre-Submitted Questions

Legal basis for processing

14. How important in the panel's view is identifying the correct

legal basis for processing activities - how are businesses

managing with this aspect of GDPR readiness?

15. General Insurance – named drivers & consent?

Pre-Submitted Questions

Data minimisation

16. What kind of practical steps can a DPO take to ensure

the business is complying with data minimisation rules?

17. In a post GDPR world, what is the panel’s view of best

practice in terms of the levels of access to customer data

that trainees ought reasonably be given while being

trained in for a certain role?

Data Portability

18. How do we prepare?

Pre-Submitted Questions

Vendor management

19. Is there a role for adopting a risk-based approach

when tackling the enormous task of implementing

contracts with processors?

20. What kinds of issues are proving the biggest

stumbling blocks in negotiations in terms of GDPR

clauses?

International transfers

21. With the Schrems case still on-going, how are

businesses approaching standard contractual clauses -

is there much activity in that regard?

Pre-Submitted Questions

Thank you for attending

Advanced GDPR for DPOs and CDPOs

29th March 2018

CPD Ref:2018-0492