In this episode of the GDPR mini-webinar series Amar Singh and Chris Payne discuss the topic of the data protection officer.
Download the free accompanying study sheet here.
Amar: Welcome to Cyber Management Alliance’s GDPR mini webinar series. You are watching episode six, the Data Protection Officer. For those of you who are just joining us now, do remember to watch the previous episodes one to five. You can go to cm-alliance.com or you can go to BrightTalk channel and look for Cyber Management Alliance. Glad to be joined again today by Chris Payne, Managing Director of Advanced Cyber Solutions, but also a really, really clued up GDPR expert. Chris, welcome!
Chris: Yes, thank you, Amar!
Amar: So, let's go straight in. The Data Protection Officer; very interesting role, obviously, a role that needs… and the question every organisation is asking, do I need one? Chris, what are your thoughts on this?
Chris: It's a question that I get a lot; do I need a DPO? Or do I need to assign somebody as responsible for the GDPR in my organisation? And I guess the answer is a little bit yes to both. There are some constraints and requirements; so, you have to appoint a Data Protection Officer if you are a public sector organisation. Now, that might not be a term that is used frequently outside of the UK but essentially, if you are a government department, a local authority, a police force, anything funded by the government in terms of health, justice, and there’s probably lots of other examples as well, essentially funded by tax, then you are considered to be public sector and you must have a DPO in place. For private organisations, you must have a DPO in place if you are regularly and systematically monitoring data subjects on a large scale. So, for example, you could be an election poll collector, so there’s a lots of, when it comes to election time in the UK, we have lots of polls on TV, you could be one of those organisations collecting data. You could be running questionnaires. Anything, where you are collecting a large amount of data in order to monitor the behaviour of data subjects, you need a DPO. In a similar fashion, if you are processing large quantities of special categories of data, and we have covered that in the previous webinar, a couple of examples would include sexuality, mental health, possibly political religions, then you also need to assign a Data Protection Officer because your work is seen as a slightly more critical in terms of protecting that data. So, those are the requirements for it but of course, there are going to be borderline cases and where there are borderline cases, or where there is confusion, then the recommendation is that you probably should have a DPO. And then there is just a note that we’ve put at the bottom of the slide here; here are some exemptions. So, one of the examples that comes out of the regulation directly is courts are exempt from leading a DPO when acting in a judicial capacity but not if they are collecting personal information from, say, judges or staff or something like that. It's purely in their judicial capability.
Amar: And I think we are going to cover this very soon. And the point is that you don't have to have a brand new employee and only make him or her do the DPO duties. So, a very small organisation and not a very large organisation, you may want to take an existing employee, upskill and give them the DPO role as the part time role. It's not necessarily to be a DPO only role. And there you go. Where do we find a DPO, Chris?
Chris: Yes! I think you are absolutely right. A DPO doesn’t need to be a brand new member of staff. It could be somebody who existingly works with you. So, it could be your existing CISO, it could be your CIO, it could be your IT manager, anybody really that has some kind of experience in data privacy law, knows about the GDPR and has the time in their schedule spare to fit this role into, they can be a DPO. Some of the other things that are important to remember; you can actually contract a DPO. It doesn't have to be a full time employee, it could be service that you are contracting. So, Cyber Management Alliance actually offers a virtual DPO service. It will be up to you to negotiate but you could have something like, I don’t know, let's say twenty hours per six months, depending on the size of the organisation and requirements of course, there will be a scoping exercise needed for that, but you can actually contract those services out and it doesn't have to cost you an entire yearly salary to have a DPO here in a small to medium-sized business. If you do belong to an association; so, for example, housing associations tend to belong to larger groups, health organisations, things like local trusts, they also tend to belong to larger associations; they can share DPO’s. So, you could have a DPO for, I don't know, let's say health organisations for the south of the England. It could be made of seven different organisations, they share one DPO. Again, if the DPO can do that job comfortably, that's perfectly allowed. Critically, under the GDPR, what is asked of the DPO is that they need to have demonstrable capabilities in data protection laws. You can't just assign, I don't know, the receptionist or the head of HR, or it can't necessarily be the CEO of the business; it has to be somebody that has grounded knowledge in data protection and privacy.
Amar: Yes and to be clear on that, it doesn't mean someone who is either very technical, too. Being technical, understanding encryption does not make someone a DPO; very important for businesses to understand that. Someone may be able to be good in protecting data; that does not make them a DPO. Please do take note. And there you go; a DPO must have demonstrable expert capabilities in data protection law. Not, I repeat, not someone who is technically able to protect your data. It's important you keep, obviously, hold of that individual but that does not make him or her a DPO. Correct, Chris?
Chris: Yes, and I guess a lot of people are having a tough time with this point because the first thing that most businesses are going to do is to tie this to the IT department; but, of course, the GDPR is not an IT problem. Maybe problem is the word that shouldn’t be used. It's an organisation-wide change and it involves a lot of different practices of the business, and it needs to be taken seriously. So, it definitely shouldn’t just be given to somebody who knows a little bit about IT or runs the IT department; it should be somebody who is actually capable of doing this job. And the word capable is a little bit relative, isn’t it. There aren't any... there are courses that you can attend about the GDPR but of course, none of them actually carry an identifiable badge that says that this person can be a DPO.
Amar: But to... sorry to interrupt you, but to stress on this point. The GDPR, and prior to that, is asking organisations to go through a cultural change.
Amar: The mindset of protecting customer, client, employee, personal information and not taking that for granted is giving right to the data subject and the DPO, and the organisation, must understand that and I repeat, to repeat what Chris said; it is not an IT problem. What is the DPO supposed to do, Chris?
Chris: So, a DPO has multiple parts to their role, as you would imagine. The first and most basic part is they are the glue essentially between your organisation and data subjects, and the supervisory authority. So, if data subjects want to exercise their rights, if they want to speak to somebody about what data you are holding on them, you would be their point of contact. So, your contact details will be published publically, at least from an organisation perspective. You would also be the first person a supervisory authority will speak to if they had any concerns about your processing and, of course, if you had a breach, the supervisory authority would expect that notification to come from the DPO, and they would maintain that link of communication. The DPO is essentially there as a representative of your organisation. Now, something else to note with this; we have been speaking about the DPO; if your business is not one of those businesses that has to have a DPO in a mandatory sense, you still need to assign somebody in your business the role of being responsible for the GDPR. It’s not the same as the DPO. When the supervisory authority wants to speak to the organisation, they need to have someone to speak to. So, it’s, I guess, it's more of a nominated person in that case as opposed to a full role. Every single organisation needs to nominate somebody who is going to be that communication point. So, that's the first thing that DPO is really there for. The other thing that they’re there for is to generally advise the controller or the processor, or maybe both, about their obligations under the GDPR. So, there is your reference point continually about the GDPR where you can ask them if you are allowed to run certain processes, what they would recommend and how they would recommend that you go about doing business in a way that you would like to do it. So, there they are essentially as your GDPR encyclopaedia. The other part of their job is to monitor you so they need to make sure, and they need to have access, that's very critical, to all your data processing system, all your processes and everybody in your business so that they can ensure that you are complying with the GDPR. Now, maybe it sounds a little bit sinister but think about it like this; what they are there to do is to prevent you from getting those administrative fines so having that police-like authority walking about your business and making sure you are complying is actually a positive thing in the end. And then the final thing, of course, is to advise you on how to conduct GAP assessments’ or DPIA’s as they’re known in the GDPR. Performing GAP assessments is a critical part of the GDPR so that you understand where your levels of risks are and the DPO is not only going to be able to advise you in doing that, but also will be able to conduct them for you.
Amar: Totally, and to repeat, it’s a cultural change. It’s not someone policing you as everyone respects personal information of customers, clients and employees. The DPO is going to have a great day and it’s going to be a relatively straight forward GDPR journey for everyone. Data controller/processer obligations… the DPO must be involved in timely manner and now, again, this goes back to the responsibilities of the DPO and for those who think it's an easy job, it's not that easy. You know there are obligations, there are capabilities, there is commitment... Chris!
Chris: Yes, that's absolutely right and so we have kind of covered what the DPO is there for and I guess a lot of people are going to be a little bit suspicious, and maybe a little bit defensive, when they have a new guy walking about telling that they can't do certain things they've been doing for a long time. And, as we mentioned, they are not there to be negative towards the way that you want to run your business, they are there to protect you essentially. So, the obligations for you, as a business, with your DPO is that you must involve your DPO, even if you don't like what they do, every time that you have a new project that involves personal information or personal data, you've got to include them in that. They need to be involved from the outset of that project right through to its delivery. It's really important that the DPO is taken seriously in the business because the DPO is there to advise you and they need to have the access to the highest levels of management to be able to communicate any changes, problems or advice that they have. Critically as well, the business is not allowed to obstruct a DPO from doing what they are supposed to do. So, let's say, just theoretically, that an organization has been breached, the supervisor authority has arrived and they are investigating what has happened, and they find that the board has not been allowing the DPO to do their job properly. Then you know the culpability of the board has been demonstrated because the DPO was not able to do what he or she needs to do.
Chris: It's really important that the DPO is given the free rein to be able to do what they need to.
Amar: Totally! And then obviously they must report to the highest levels. This is not a low… no disrespect to the organisation charge, or any organisation, but DPO is a serious role and the person he or she must report to must also be of equal seniority. Excellent. DPO is it the same role as the CISO?
Chris: Yes, I think, Amar, you know a lot more about the CISO role then I having one before, but I guess a lot of people are going to wonder well, if I already have a CISO, why do I need a DPO? Do can they be the same people? Are they going to be against each other? Do I need one or the other? Can they be the same? There are a lot of questions around whether it's the same role or not. I think, essentially, it's not the same role but depending on the size of the organisation and what their typical business activities are, could be that they are is a same person and might be that they can be separate roles.
Amar: I think we could probably do a separate webinar on this one. I've been a Data Protection person, officer and a CSO and as Chris is saying, depending on the size of the organisation, you do need a separate DPO. Many, many of those, even nown are focusing too much on IT. A CISO also must be obviously regarded and as we think, a CISO can be a DPO but they must be able to demonstrate that they have the capability to perform both of them adequately. So, we're probably going to do another separate webinar on this, Chris, because there is a lot of debate, hot debate going out there. We did our Wisdom of Crowds and at the end, there was an interesting debate over there also. So, yes, something we are going to touch upon very soon.
Chris: And I think what's really important point out here is that last point that people can see on the screen. One of the critical requirements for a DPO is that they have the time in their schedule to be able to do their role. So, even if you want to combine those two roles together, you need to make sure that the DPO aspect of it has enough time to be completed and for that person to carry on their duty as a CISO. So, I have met many a very busy CISO out there but chances are, they can’t take this role on, too.
Amar: Very much. I wanted to thank you everybody for listening in. Thank you, Chris Payne, our GDPR expert but also the Managing Director of Advanced Cyber Solutions and look forward to the next one which is the Incident Response. Thank you, Chris.
Chris: Thank you.