advanced gdpr for dpos and cdpos - acoi.ie · advanced gdpr for dpos and cdpos 29th march 2018 cpd...
TRANSCRIPT
Back to Basics: Being a DPO
“…the DPO is a cornerstone of accountability… In addition
to facilitating compliance through the implementation of
accountability tools (such as facilitating data protection
impact assessments and carrying out or facilitating audits),
DPOs act as intermediaries between relevant stakeholders
(e.g. supervisory authorities, data subjects, and business
units within an organisation).”
• a source of wise counsel;
• a liaison person;
• a strategist;
• a discussion partner;
• a record keeper;
• a supervisor;
• a legal expert;
• a data security expert;
• an independent thinker; and
• in touch with the Force (i.e. the Data Protection
Commissioner).
The all-seeing, all-knowing DPO must be:
Expertise, Skills and Professional
Qualities
• The DPO must have the requisite expertise and professional qualifications.
• Expertise must be commensurate with the sensitivity, complexity and
amount of personal data an organisation processes – so know what
personal data your organisation processes and the ways in which it
processes personal data.
• The DPO should have:
– comprehensive knowledge of the GDPR and other applicable national
and European data protection laws and practices
– knowledge of the business sector the organisation is operating in
– a good understanding of the processing operations carried out, as well
as the information systems, data security and data protection needs
– a sound knowledge of the administrative rules, procedures and internal
policies of the organisation
Position of the DPO
• The DPO must:
– be involved, in a proper and timely manner, in all
issues relating to the protection of personal data
– be provided with the resources necessary to carry
out functions and to maintain expert knowledge
– not be instructed on how to perform duties
– report to the highest level of management
– maintain independence
– not be dismissed or penalised for performing
tasks
– not become conflicted when fulfilling tasks and
duties
Resources
• DPOs require:
– adequate support in terms of finance,
infrastructure and staff
– sufficient time to fulfil duties
– access to and communication with other
teams/departments, such as HR, legal, IT and
security
– continuous training
Independence & Conflicts of
Interest
• DPOs “should be in a position to perform their
tasks and duties in an independent manner.”
• DPOs must not be instructed to take a certain
view of an issue of data protection law.
• “Although DPOs are allowed to have other
functions, they can only be entrusted with other
duties provided that these do not give rise to
conflicts of interests… Due to the specific
organisational structure in each organisation,
this has to be considered case by case.”
Role as Point of Contact
• The DPO must cooperate with
the supervisory authority and
act as the point of contact
between the supervisory
authority and the organisation.
• The DPO facilitates access by
the supervisory authority to the
documentation and information
it needs to conduct the tasks
listed in Article 57 and 58.
Role in Record Keeping
• Processors and controllers are required to
maintain records of their processing activities.
• In practice DPOs will have a significant role in
record keeping, and will often be expected to:
– create inventories of the types of personal data held
– maintain a register of the processing operations the
organisation is engaged in
– liaise with different departments/elements of the
business to form a centralised view of processing
activities
Data Protection Impact Assessments
• Controllers must seek the advice of
the DPO when conducting a DPIA.
• The DPO must provide advice on
and monitor the performance of the
DPIA.
• If the Controller cannot sufficiently
address the risks identified in the
DPIA, then the Controller (DPO?)
must consult the supervisory
authority.
• Controllers must carry out a DPIA before carrying out processing
which is likely to result in a high risk to the rights and freedoms of
natural persons.
• The DPIA involves assessing the impact of the envisaged
processing operations on the protection of personal data.
DPOs and the Data Protection Bill
2018
• Not yet finalised – currently going through the
Oireachtas.
• The Article 29 Working Party Guidelines state that
“DPOs are not personally responsible for non-
compliance with data protection requirements.”
• Under the Bill, where an offence is proven to have been
committed “with the consent or connivance of or to be
attributable to the neglect on the part of a person, being
a director, manager, secretary or other officer of that
body corporate, … that person, as well as the body
corporate, shall be guilty of that offence and be liable
to be proceeded against and punished accordingly.”
Industry Trends
1. Mandatory DPOs – required under Article 37
2. Voluntary DPOs – beware the WP29 Guidance
3. Group DPOs – must be accessible by all
4. DPO Team – will often be necessary for large
operations
5. Part-Time DPOs – careful: must avoid conflicts of interest
John MageePartner, William Fry
+353 1 489 6532
williamfry.com/privacysource
@WFidea
GDPR In Day to Day Operations
Kevin Sweeney IT Director and DPOCPL Group
Key:
Countries in which Cpl has an office
Countries in which Cpl provides services
One Day
in CPL
Fri Jan 19th
985
new CVs
1116 updated
candidates
1260 applications
370 submital
s
140 interviews
120 secure docs
2664 Candidate
phone
calls
82 perm placement
40 new
payroll starters
29 P45s processed
4500 timesheets
105 jobs
added
Staff – Our Biggest Threat(Naivety over Negligence)
Starters & Leavers
Audited Process to
ensure access
rights are appropriate and current
Induction
Training
All Staff receive 1 hour DP
training in first month
Controls at Work
External email blocks
Application and
Location restrictions
on file extraction
Online Training
and Testing
DP Module for all Staff
Testing must be
completed
Simulated Phishing
Tools
2017 Target tests for 1 month on Top 100
Follow up Reviews with Key teams
Detection
Tools
Email Discovery
Web Monitoring
Perimeter
Protection
Group Firewall
Single Route
Hosted Service
Malware
EndPoint
Protection
Desktop
Windows 10 Rollout
USBs
Software Patching
Weekly release
Urgent Releases
Emails
Protection Rules
Discovery
Phishing/ATP
Mobiles
Group Control
Encryption
External Threat Protection
• Critical milestones, auto tracking and segmentation
Process and Data Automation
• EU locations, file encryption, Annonymisation, Pseudonymisation
Data Transfer and Storage
• Share Drives, Excel sheets, other Cloud apps, Paper Docs
The Other Data Stores
• DPO authority, Sharing rules, Standard Policies
Satellite
Groups
• Supervisory Authority, Due Diligence,
Acquisitions
International Locations
Focus Areas
• DPO – multi-faceted requirements
• Primary demands
• Post May 2018 governance
• May 25th and beyond……
Contents
22
DPO – multi-faceted role!
Operational demands
Day to day queries – across retail, call–centre, network fleet, Head Office environment, FOTs, strategic partners, core network
Strategic demands
ODPC – complaints/sectoral audits/clarifications
Senior Management Team/Shareholders/Board /Investors
23
DPO – multi-faceted role!
Internal demands
Key stakeholder management
Budget
Resources
Recruitment of allies
External demands
Brand
Industry
24
Why ? ………Life post May 2018
• DPO should have
knowledge of the business sector the organisation is operating in good understanding of the processing operations carried out – in addition to internal IT systems, data security in
place and data protection needs
• End to end visibility of personal data is key
• Knowledge of the internal procedures and policies (Group?)
• Impact of acquisitions (Setanta Sport)
26
How ? ………Life post May 2018
Data Protection Governance model - what will it look like?
• Adaptation of a standard 3 line of defence model?
First - Operational/Business unit
Second – Legal/Compliance – centralised Data Protection team
Third – Internal Audit (data protection audit capability)
• Why – operational data protection capability “at the coal face”
• Scalability
• ODPC dialogue 27
Who ? ………Life post May 2018
Layered approach –
• Data Protection Liaisons/Champions at Business Unit level
- Specific DP role responsibility (within HR objectives)
- Standard and bespoke additional training
- Certifications – ACOI/IAPP for certain role holders/skill sets (Compliance officers/IT)
• Centralised Data Protection Forum – (Data Protection /Privacy Council)
• Leverage other “Data “ stakeholders – e.g. Data Governance/Digital/Data Officers
28
When ? ………Life post May 2018
• Layered approach to Stakeholder management
- Procurement process
- Vendor management process
- Finance/IT Capex process
- IT development/acquisition process
• Use of sign-offs/standard assessments in decision making chains
(New suppliers/products/uses being put to data)
• Use GDPR Programme analysis to inform where the Data Protection “lens” should sit in the lifecycle – and have a plan/methodology to integrate findings
29
Journey…… post May 2018
• Sectoral issues – e.g. Marketing prosecutions within Telco sector
Audits re retention of call records
• Public issues - Privacy Shield
Facebook/Cambridge Analytica –impact on Data Analytics
• Near misses - Data Security/Suppliers - adapt!
30
Questions for the panel
submitted/raised in advance of
today’s event.
CPD Ref:2018-0492
Advanced GDPR for DPOs and
CDPOs
DPO Role
1. Conflicts: Can the DPO be an IT staff member? What
about the Art 29 Guidance?
2. Reporting: I will be carrying out the role of DPO in my
organisation - to whom am I likely to have to report
matters on a regular/annual basis?
3. Budgets: In terms of thinking ahead to budgets for
Capex and Opex what should I be including?
4. Multiple DPOs: How do we handle HQ DPO in relation
to local/ overseas DPOs?
Pre-Submitted Questions
Enforcement
5. What aspects of GDPR do the panel expect will be the key
focus for regulatory enforcement post-May?
Data Security & Breach response
6. Does the panel feel that Irish businesses will be ready to
meet the challenge of mandatory breach reporting?
7. Data Security & Email - What’s the impact of doing business
with my own email address or using a client email whilst
working onsite? Encryption of emails – Should all external
emails be encrypted?
Pre-Submitted Questions
Data retention
8. Does GDPR have an impact on Data retention?
9. Any advice on retention generally & email retention in
particular?
Pre-Submitted Questions
Direct marketing
10. Is there any chance that the revised ePrivacy Regulation
will be in force by May?
11. What trends are the panel seeing in relation to how
businesses are approaching issues such as direct
marketing and cookies?
Pre-Submitted Questions
Data subject rights
12. What are the biggest challenges businesses are facing in
implementing procedures to deal with the new and revised
rights - & any advice?
13. Employer references - disclose?
Pre-Submitted Questions
Legal basis for processing
14. How important in the panel's view is identifying the correct
legal basis for processing activities - how are businesses
managing with this aspect of GDPR readiness?
15. General Insurance – named drivers & consent?
Pre-Submitted Questions
Data minimisation
16. What kind of practical steps can a DPO take to ensure
the business is complying with data minimisation rules?
17. In a post GDPR world, what is the panel’s view of best
practice in terms of the levels of access to customer data
that trainees ought reasonably be given while being
trained in for a certain role?
Data Portability
18. How do we prepare?
Pre-Submitted Questions
Vendor management
19. Is there a role for adopting a risk-based approach
when tackling the enormous task of implementing
contracts with processors?
20. What kinds of issues are proving the biggest
stumbling blocks in negotiations in terms of GDPR
clauses?
International transfers
21. With the Schrems case still on-going, how are
businesses approaching standard contractual clauses -
is there much activity in that regard?
Pre-Submitted Questions