In a previous post I highlighted and analyzed various aspects of the European Union General Data Protection Regulation (EU GDPR) and provided a summary of my recommendations. This post will more fully explore some of them specifically. My recommendations are listed in sequential order, because it’s crucial that those responsible for the protection of EU citizens’ data take-the-lead in the development and execution of their firm’s protocols. This is true whether an entity is required to hire/assign a Data Protection Officer (DPO) or gives the responsibility to the Data Controller. It is also important to note that recent court rulings have shown an increasing willingness to hold individuals responsible, not merely the firms for which they work.
STEP 1: Hire/Assign a Data Protection Officer (DPO)
– DPOs are required if a Data Controller’s core activities consist of data processing, especially when it requires regular and systematic monitoring of Data Subjects’ personal data. However, entities should consider hiring/assigning a DPO, even if not required, due to the significant workload involved. The duties and responsibilities entailed in complying with the Reg are substantial. And while they may fluctuate, they will unlikely diminish in a linear and predictable fashion.
– The entity must inform the relevant Supervisory Authorities (SA) regarding the new DPO or, in the alternative, that the Data Controller or Processor will be acting in this capacity. The development of a good working relationship between the SA and the entity’s representative will be critical in complying with the Reg. I strongly encourage all entities to establish this relationship sooner rather than later. The SA is not merely someone an entity must inform of a data breach, but can be an invaluable resource in developing a firm’s data protection protocols from the start.
– It is important to remember that even if an entity hires a DPO, the DPO cannot be directed by the Data Controller/Processor. Instead, the DPO works independently and autonomously in order to ensure the security of Data Subjects’ personal data and to avoid the potential for conflicts of interest. This will likely prove to be a delicate balancing act. Although the DPO will be hired by an entity, the DPO’s client-master is actually the Data Subjects of that entity (not the entity itself). This distinction must be maintained in order to avoid even the appearance of undue influence. I will post another blog specifically outlining the role and responsibilities of the DPO. So, stay tuned.
STEP 2: DPO to Conduct an Information Audit and Data Protection Impact Assessment
– In order to plan a future course of action, an entity must first know where it stands today. Therefore, the first order of business once a DPO is identified is to conduct an Information Audit so as to understand: the path that data travels internally and externally (data-in-transit), where the data is stored (data-at-rest), and all of the elements that make up the collection, storage, and processing of data. As part of the Information Audit, a Data Protection Impact Assessment should be conducted in order to understand, quantify, and mitigate the risks and costs associated with data processing. This step should include an evaluation of existing IT systems and the data protections they offer. This may result in the need for additional/different IT systems purchases. Therefore, the entity should plan for this possibility in its budget.
STEP 3: DPO to Establish a Data Protection Code of Conduct to be Shared Internally with All Data Stakeholders (Establish Breach Detection and Notification Procedures)
– One of the results of an Information Audit should be the establishment of a Code of Conduct, which outlines the processes and procedures to be followed regarding the treatment of the personal data of Data Subjects
– The document should also establish the procedures to identify breaches, as well as the notification requirements thereof
STEP 4: DPO to Update Explicit Consent Opt-Ins
– Transparency is paramount. The Data Subject must be informed of:
o The purpose of the data collection, storage, and use
o The length of time that the data will be stored and/or used; if the entity cannot provide a specific length of time, then the entity must provide the Data Subject with the criteria used to determine that period
o The recipients of the data
o The logic involved in automated processing of the data
o The consequences of data processing, if based on profiling (such as with application approval/denial for credit)
– Be sure to separately call-out any data collection, storage, and use for direct marketing purposes
STEP 5: Provide Data Subjects with the Contact Information of the DPO (in the alternative, the Data Controller/Processor)
– The entity must provide Data Subjects with the contact information of the DPO or, if one does not exist, then the Data Controller/Processor for inquiries, concerns, or requests for data erasure, etc.
STEP 6: Use this Reg as your Competitive Advantage
While complying with any Reg that seeks to proscribe certain behaviors is often considered oneous (and rightfully so), it can also offer an entity a competitive advantage, especially when a Reg is first enacted. Just as there is a “window-of-opportunity” for market traction when there is a new product release, so too does one exist whenever legislation impacts the business environment. Therefore, it would be wise to prepare well in advance for compliance and thus, take advantage of being “first-to-market,” so-to-speak, in gaining the trust and confidence of your current and prospective customers.
*Records maintenance is critical throughout, especially in the cases of Steps 2 & 3 above. All entities impacted by this Reg must maintain records of their data processing activities, regardless of whether a DPO is hired/assigned. Information contained therein must include: the purpose of the data collection, storage, and use, the process by which the entity developed the data categories, recipients and their location, time limits for erasure, documentation of suitable safeguards, and a description of security measures.
