Is your organization DPO ready?

Data Protection Officer

By now organizations will have heard about the new EU General Data Protection Regulation (GDPR) set to take effect on May 25th 2018. It is the largest piece of data protection legislation to be passed in the history of the EU (Irish times, 2017).

The fundamental objective of the regulation is to strengthen and reinforce the rights of the individual (data subject) and create a much needed harmonization of data protection law across the European single market. The new legislation will apply unilaterally across all EU member states and brings with it a major shift to the regulatory landscape. The introduction of this new EU data protection framework presents new challenges for business, making it imperative for organizations to act now and prepare accordingly to ensure compliance with the reform come May 2018.

GDPR imposes new, more rigorous obligations on organizations for the collection and processing of personal data and introduces new and improved rights for the individual. The introduction of the regulation reinforces Europe’s position on adopting an extremely protective approach to the processing and controlling of the personal data of its European citizens.

As mentioned above, the legislation stipulates a number of new protections. One of the major requirements outlined in the regulation is the mandatory appointment of a dedicated Data Protection Officer (DPO). 

The DPO role itself will be independent of the organization and they will be answerable to the Lead Authority (in Ireland that will be the Data Protection Commissioner) and are not subject to the company board of directors. The position can be appointed internally to a current staff member or the role can be contracted out to a third party service provider.

Who needs a DPO?

The question most organizations are asking is; does my business need a DPO?

In short, yes. The current view is that all organizations will need access to a DPO and their services, unless your business can prove that it does not. 

Article 37 of the reform specifies that the appointment of a DPO is required where;

  • You are a public authority or body processing and controlling personal data
  • Data controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale
  • The core activities of the controller or the processor consist of processing on a large scale of special categories of data

Roles and responsibilities of the DPO

Although Article 37 in the GDPR does not establish the precise credentials DPOs must have, it necessitates that they have expert knowledge of data protection law and practice and should be designated on the basis of professional qualities and the ability to perform the tasks as set out in the reform.

The roles and responsibilities of the DPO under Article 39 include;

  • Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws
  • Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff and conducting internal audits
  • Advising with regard to data protection impact assessments
  • Cooperating with the controller’s or processors supervisory authority
  • Serving as the point of contact on issues relating to the processing of personal data

Data protection training

Appointing a suitably qualified and experienced DPO will prove challenging for most organizations, as the pool of candidates adequate to perform the role is limited.

There is no better way to prepare for the role of the DPO than to train in the globally recognized and certified IAPP data protection training courses such as the CIPP/E and CIPM.

The IAPP estimate that more than 75,000 DPOs will be required in the coming months to comply with the new GDPR requirements.

Certified Information Privacy Professional Europe (CIPP/E)

The Certified Information Privacy Professional/ Europe credential provides a comprehensive GDPR knowledge, perspective and understanding to comply with the new legislation. It encompasses pan-European and national data protection laws, key privacy terminology, and practical concepts concerning the protection of personal data and trans-border data flows. CIPP/E encompasses the ‘WHAT’ of data privacy and protection.

Achieving a CIPP/E accreditation demonstrates understanding of a principles-based framework and knowledge base in information privacy within the European context, including critical topics like the EU-U.S. Privacy Shield and the GDPR.

What do candidates learn?

  • Introduction to European Data Protection
  • European Regulatory Institutions
  • Legislative Framework
  • Compliance with European Data Protection Law and Regulation
  • International Data Transfers

How does the CIPP/E help your organization achieve GDPR compliance?

The CIPP/E is the global gold standard in European data protection certification and is the most recognised accreditation in the privacy domain. Achieving the CIPP/E demonstrates you have the comprehensive GDPR knowledge and understanding to ensure compliance and data protection success in the EU and further afield.

Certified Information Privacy Manager (CIPM)

The Certified Information Privacy Manager (CIPM) certification arms privacy and data protection professionals with everything they need to establish, maintain and manage an enterprise-wide privacy program across its entire lifecycle. CIPMs know privacy regulations, and they know how to make them work for their organizations.

  • How to create a company vision
  • How to structure the privacy team
  • How to develop and implement a privacy program framework
  • How to communicate to stakeholders
  • How to measure performance
  • The privacy program operational lifecycle

How does the CIPM help your organization in achieving your compliance?

A CIPP/E combined with a CIPM means that you are uniquely equipped to fulfil the requirements of a Data Protection Officer. The CIPP/E relates to the knowledge a DPO must have concerning the European legal framework of the legislation and the CIPM provides theoretical aspects necessary to lead an organization’s data protection policy.  

The introduction of the new GDPR and its significant sanctions for noncompliance signal Europe’s movement to lead the way in setting a global golden standard in data privacy and protection law. Protecting and safeguarding the personal data of data subjects is the main principle underpinning this major reform and will alter the regulatory landscape for all organizations.

The reform places greater accountability on data processors and controllers in the handling of EU citizen’s personal data. GDPR will not just affect businesses indigenous to the EU, non-European companies will have to comply with European Data Protection law if they operate within the European market.