Role of DPO in European Union for GDPR Compliance

admin | December 1st, 2017 | Cloud Security

EU’s General Data Protection Regulation implies that a DPO (Data Protection Officer) role would eventually be provided a Pan-European-legislative-construct.

Existing Position

Numerous multinationals today are having the Chief DPO or the Data Privacy Officer or Chief Privacy Officer. Also, while there exist multiple EU Member-States, which especially reference DPO’s role, still there is no such harmonized approach currently. Adopting new rules related to Privacy Seals by CNIL (the French-Data-Protection-Authority) specifies a range of duties that have to be followed by the Data Privacy Officer. Presently, some of the European jurisdictions (Poland, Hungary, France, Slovenia, Germany & Russia) legislate/mandate for DPO’s appointment. The place where DPOs get appointed, they usually are empowered for ensuring that data controllers are compliant with almost every aspect of any applicable data protection law as well as regulation. Also, in certain jurisdictions, DPO’s contact details have to be registered with relevant DPA (i.e. data-protection-authority). In multiple jurisdictions, DPO’s formal appointment somehow negates the data controller’s notification/registration requirement with relevant DPA as per DPO’s duty for maintaining a compliance-register and overseeing the management of personal data processing , which would be otherwise covered by registration/notification procedure.

Responsibilities of a Data Privacy Officer

  • DPO chief responsibility is of managing notifications/registrations with relevant data-protection-authority as per data controller’s data processing activities.
  • Also, DPO should be keeping these notifications/registrations truly up-to-date
  • DPO also needs to maintain different notifications as per all the data processing entities, which are there within their corporate group.
  • There also are certain obligations that are there on DPO as per these notifications/registrations regarding to the sensitive of personal data and international personal data transfer (especially sensitive data) as well as other such processing activities like whistleblower, ethical hotlines etc.
  • It is important to note also that in EU, the notification/registration process is much more than just a “tick box” exercise. It is also more than just bureaucratic formality of filing.
  • Data controller’s registration/notification with DPA assists that DPA in his ability of enforcing data protection compliance. Also, the DPO has to be well-informed about all the processing activities for ensuring faster notifications/registrations being totally up-to-date and highly accurate.
  • In some of the jurisdictions in Europe, the processing of data can’t happen without having done with prior registration of these activities of data processing and they can’t be happen even without prior approval of that relevant DPA. Additionally, particular notifications also do fall within DPO’s responsibility, wherein, those specific notifications do relate to the whistleblower as well as to the ethical hotlines, and also international personal data transfers (especially the data that is sensitive in nature) and notifications about any data breach for cyber crime incidents.
  • Yet another general DPO’s responsibility enlists monitoring of the activities of all of the data controllers that fall within that DPO’s corporate-group including Human resource, marketing, sales, IT, procurement & outsourcing.
  • DPO also has to have a policy/procedure well in place, which ascertains liaison with the relevant dept. as per any of the changes to those processing activities like Human Resource as per job interviews, staff, recruitments, leaves, background checks, new staff members and agents/sub-contractors’ use etc.
  • DPO has to be a “C Suite” person who is directly reporting to the management for data privacy and other such related issues with compliance. DPO also has autonomy as well as budget-related and other decisions making power for managing any non-compliance issues and other such related events, which he can report to relevant DPA.

Policies to Be Implemented

The data privacy officer has to implement policies as well as procedures for managing the outsourcing of these data processing activities, which include the use of 3rd-party vendors for Human resource, Information Technology, marketing etc., and particularly, where those 3rd- party vendors might be processing company’s personal data outside this European-Economic-Area and/or may be inside the Cloud working network.

Thus, for businesses that operate in the cloud environment, having a CASB solution by Cloud Security Access Brokers becomes vital for implying compliance & policies ensuring no data loss, and if lost somehow, then that doesn’t indicate towards the subject of that data. CloudCodes is one such leading provider of CASB solutions, compare CASB vendors to take an informed, well – thought decision.