Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

Roles and responsibilities of the Data Protection Officer

advertisement 
The Data Protection Officer in EU
and elsewhere: Roles and responsibilities
Robert Bond, CCEP
Head of Data Protection and Cyber Security Law and DPO
charlesrussellspeechlys.com
Robert Bond
Partner, CCEP
Robert Bond has over 37 years' experience in
advising clients on all of their commercial, IP,
technology and data protection requirements. He is
DPO and deputy ABO for the firm. He is a legal
expert, presenter and author in the fields of ecommerce, computer games, media and
publishing, data protection, information security
and cyber risks.
He is named in the National Law Journal's list of 50
Governance Risk & Compliance Trailblazers, listed
in the top 10 in “the Who’s Who of Information
Technology Lawyers 2014” and also in "Best
Lawyers in UK 2015“.
“Astounding” Legal 500 2015
Tel: +44 (0)20 7427 6660
"He continues to impress year on year.
His spark of imagination and ability to
grasp the technology is amazing”
Chambers UK, 2014
robert.bond@crsblaw.com
2
Brief introduction to Charles Russell Speechlys
−
Leading law firm based in London with regional offices within the UK and international
offices in Bahrain, Qatar, Geneva, Zurich, Luxembourg and Paris with a strong focus on
the Technology, Media and Telecoms (“TMT”) Financial, Retail & Leisure and Life
Science sectors.
−
Recognised for our Data experience and advisory services in the latest legal directories
Chambers UK and Legal 500 amongst others.
−
Our clients range from large listed businesses, to small start-ups, governments, not-forprofit organisations and private individuals. We have specialised in data privacy and
information security for 37 years.
−
Our Data Protection & Information Law team provide a range of expertise on data privacy
audit, compliance, risk management, information security and data breaches
“What I liked was the fact that the team was very
willing for us to see itself as an extension of
our existing in-house team. I like the way it integrated
– members sat alongside and guided us. That was
what impressed.”
3
OUR EXPERIENCE
GREENLAND
ALASKA (USA)
SWEDEN
ICELAND
RUSSIAN FEDERATION
FINLAND
NORWAY
CANADA
ESTONIA
LATVIA
DENMARK
LITHUANIA
REPULIC OF
IRELAND
BELARUS
UNITED
KINGDOM
NETHERLANDS
GERMANY
POLAND
BELGIUM
CZECH
REPUBLIC
UKRAINE
SLOVAKIA
KAZAKHSTAN
AUSTRIA
MONGOLIA
HUNGARY
FRANCE
SWITZ.
ROMANIA
ITALY
UZBEKISTAN
BULGARIA
PORTUGAL
GEORGIA
UNITED STATES of AMERICA
KYRGYZSTAN
SPAIN
NORTH
KOREA
GREECE
TURKEY
TURKMENISTAN
SYRIA
SOUTH
KOREA
CHINA
AFGHANISTAN
JAPAN
IRAN
IRAQ
TUNISIA
MOROCCO
TAHKISTAN
PAKISTAN
ALGERIA
NEPAL
LIBYA
EGYPT
WESTERN SAHARA
Bhutan
SAUDI
ARABIA
MEXICO
TAIWAN
UAE
OMAN
INDIA
VIETNAM
CUBA
MYANMAR
MAURITANIA
LAOS
MALI
NIGER
GUATEMALA
CHAD
SUDAN
HONDURAS
THAILAND
YEMEN
SENEGAL
NICARAGUA
PHILIPPINES
CAMBODIA
BURKINA
GUINEA
NIGERIA
COSTA RICA
PANAMA
ETHIOPIA
GHANA
VENEZUELA
LIBERIA
GUYANA
COLOMBIA
SURINAME
FRENCH
GUIANA
COTE
D’IVOIRE
SRI
LANKA
CENTRAL
AFRICAN REPUBLIC
CAMEROON
MALAYSIA
SOMALIA
UGANDA
KENYA
GABON CONGO
ECUADOR
DEMOCRATIC
REPUBLIC OF
CONGO
TANZANIA
PAPUA
NEW GUINEA
INDONESIA
BRAZIL
PERU
ANGOLA
ZAMBIA
BOLIVIA
MADAGASCAR
ZIMBABWE
NAMIBIA
PARAGUAY
BOTSWANA
AUSTRALIA
REPUBLIC
OF SOUTH
AFRICA
URUGUAY
CHILE
ARGENTINA
NEW
ZEALAND
= countries where we
have assisted clients
with data privacy related
issues
4
OUR EXPERIENCE
•
We have advised clients on all matters pertaining to data protection, including:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Rolling out comprehensive, global data privacy programmes and policies for multinationals
Training: face-to-face, via webinars and tailored e-learning modules
International data transfer solutions
Data breaches and cyber incidents
Employee monitoring
The implications of data privacy on marketing strategies
Cookies and similar technologies
Data retention and destruction
Subject access requests
Social media and Bring Your Own Device
Big Data and IoT
Telemetry technology
Outsourcing contracts
Data protection in the procurement process
Data protection issues in relation to corporate transactions and due diligence
Privacy Impact Assessments
Notifications/filings with data protection authorities
5
Polling questions
• Does your organisation have a DPO?
• Under the GDPR will your organisation appoints a DPO?
• Would your organisation use a DPO under a service
contract?
6
Data protection is at the heart of any business
Commercial Contracts
Reporting and
Discovery
Big Data
Outsourcing /
Cloud
M&A
PERSONAL DATA
Investigations
& Claims
Social
media
Global Presence
Employment
Emails
Corporate
Restructuring
Current DPO position in Europe
•
Some jurisdictions mandate or legislate for the appointment of a Data Protection Officer
(DPO), e.g. Germany, Belgium (for public bodies), Hungary, Slovenia, Russia, Poland
•
In many countries the DPO is an optional appointment that can assist in mitigating risk
•
CNIL “Seal Scheme” in France imposes detailed duties on DPO
•
The DPO is empowered to ensure the company is compliant with all aspects of
applicable data protection laws and regulations
•
The contact details of the DPO may be required to be filed with the relevant data
protection authority in some jurisdictions
•
The filing of the details of the DPO may negate the requirement to register the data
controller with the DPA
•
The DPO may need to be an in-country employee but in some cases can be appointed
to serve a Group DPO function
•
Some DPO’s may be a service company appointed under a contract
8
Responsibilities: Notification / Registration
• Notifying the relevant Data Protection
Authority of the company’s data processing
activities
• Keeping notifications updated from time to
time
• Maintaining separate notifications in respect
of all data processing entities within the
corporate group
• Making any necessary filings in relation to
international data transfers with the Data
Protection Authority
9
Data Protection notifications, filings and registrations –
what is this?
• More than a tick the box exercise
• More than a bureacratic formality
• Purpose
• To assist the Data Protection
Authorities (DPAs) enforcing the
data protection law
• You must be fully informed to
present a registration/notification
• Types of notifications:
• Prior registration of processing
operations
• Prior checking of processing
operations
• Notification of breaches to the
DPA
• Notification of breaches to the
data subjects
• Other types of notifications /
requests for authorisation
10
DPO and Data Transfers
Safe Harbor
Seals and
trust marks
Model
clauses
Consent
Strategies for
transborder
dataflows
Presumption
of adequacy
Contractual
necessity
Adequate
destination
11
Binding corporate
rules – not valid in
all countries
CNIL Seal Deliberation of 11 December 2014
• Art 11(3) of French Data Protection Act
1978 sets out ability of CNIL to award
Privacy Seal to data controller
• Deliberation published last year places
many obligations on the DPO
• Must be independent to make
decisions affecting compliance
• May be an internal or external entity
(natural or legal)
• Must manage compliance and data
breach reporting
• Must regularly audit privacy
compliance of data controller
12
ICO’s privacy seal project
• ICO has concluded its consultation on
its project
• Framework sets out scope of scheme,
incentives for certification,
assessment, complaints and fees
• Intention is to appoint UKAS to lead
accreditation process for ICO and for
there to be at least one accredited
seal holder during 2016
• Seal design will be announced by end
of the year and will be licenced to
users
• Several organisations have already
expressed interest in obtaining a Seal
13
European data protection seal
Art. 39 GDPR
• Controller and/or processor can request the relevant
Supervisory Authority, for a fee, to certify that processing
is in accordance with the GDPR
• Accreditation framework with hierarchy of auditors
• European Data Protection Board to keep a public register
and define technical standards
• The Seal will not only certify compliance but also authorise
data transfers
14
Responsibilities: Managing data controllers and data
processors
•
To monitor the activities of all data controllers within the corporate group
(e.g. HR, sales and marketing, procurement functions)
•
Liaison with relevant departments in respect of changes to processing
activities – such as HR in relation to staff leaving, interviews and
recruitment, new members of staff, subcontractors
•
To provide advice to the company, the board and staff on compliance
•
To manage data processors on behalf of the company
•
To monitor any outsourcing of data processing activities to third party
processors
•
To ensure third party data processors enter into suitable contracts to ensure
compliance with applicable data protection rules
•
To define information security and data handling practices to be observed
by third party data processors
15
Responsibilities: Policies, Procedures and Practices
• To provide guidelines to the company board and members of staff
• To provide guidelines to new members of staff
• To provide guidelines to contractors and third parties using company
information
• HR liaison in relation to policies, procedures and practices specifically
for members of staff, interviewees and job applicants
• Liaison with IT department in relation to developing policies, procedures
and practices for information security, data handling, outsourcing and
monitoring
• To liaise with sales and marketing to ensure compliance with applicable
law and regulations for marketing, advertising and PR
16
Responsibilities: Training
• To provide facilities for training/raise
awareness of existing staff, new staff and
the Board
• To advise and coordinate in-house training
by departments and groups
• To produce regular articles to update on
new legislation and guidelines
• To raise awareness of new developments
as they emerge
17
Responsibilities: Subject Access Requests
• To manage and administer Subject Access Requests
• Initial point of contact for employees in relation to
Subject Access Requests
• To raise employees’ awareness of Subject Access
Requests and the importance of a timely response
• To ensure responses to Subject Access Requests
comply with the law (in the appropriate time frames)
• To provide the company board and staff with policies,
procedures and practices in relation to compliance
with Subject Access Requests and where applicable
freedom of information access requests
18
Responsibilities: Audit
• To regularly audit for compliance with applicable
legislation and regulations
• To advise the company of any changes to
policies, procedures and practices as a result of
any annual audit
• To implement any authorised changes to
policies, procedures and practices resulting from
an audit
• To consider where necessary the use of
specialist advisors in relation to audit and
compliance
19
What the future holds…
20
The General Data Protection Regulation
Data Protection Officer – Article 35 onwards
• Mandatory appointment in
certain circumstances, e.g.
where there is the “regular and
systematic monitoring of data
subjects on a large scale” or
where the “core activities”
mean that the controller or
processor will process a large
volume of “special categories of
data” or “data relating to
criminal convictions and
offences”
21
EU DATA PROTECTION OFFICER – WHO AND HOW
• Data Protection Officers chosen for their
professional qualities
Expert knowledge of data protection law and practices,
including:
• Technical & organisational measures &
procedures
• Mastery of technical requirements for privacy by
design, by default and data security
• Industry specific knowledge in accordance with
•
•
The size of the controller or processor
The sensitivity of the data processed
• Ability to carry out inspections, consultation,
documentation and log file analysis
• Ability to work with employees’ representatives
Organisation must enable the DPO to take part in
advanced training measures to maintain specialised
knowledge
22
EU DATA PROTECTION OFFICER – TASKS AND
FORMALITIES
•Tasks – trusted adviser or police?
• Raise awareness
• Monitor implementation and applicability of the
policies
• Monitor implementation and applicability of the
Regulation
• Ensure mandatory documentation is maintained
• Monitor, the documentation, notification and
communication of data breaches
• Monitor privacy impact assessment and prior
consultation
• Monitor responses to the Data Protection
Authorities
• Contact point to the Data Protection Authorities
• Inform employees’ representatives on employees’
data processing
• Verify compliance with this Regulation
• There is a catch…
• DPOs will be protected employees!
23
OBLIGATION TO MAINTAIN DOCUMENTATION –
ACCOUNTABILITY PRINCIPLE
• Organisations must keep appropriate
policies & procedures such as data
retention and data management
• Policies & procedures reviewed at
least every two years
• Reports of the activities of the
controller shall contain summary of
policies & procedures
• Documentation must also contain:
• Name & contact details of the
controller, joint controller, processor
and representative
• Name & contact details of the DPO
• Name & contact details of controllers
to whom personal data is disclosed
24
The Proposed EU Data Protection Regulation
•Remedies and sanctions
• Fines of up to EUR 20million / 4% total worldwide annual turnover
of preceding financial year, whichever is the higher.
• Criteria to set out the level of fine will include the degree of
technical and organisational security measures and
procedures implemented to:
•
•
•
•
•
Data protection by design and by default
Security of processing
Data protection impact assessment
Data protection compliance review
Designation of the Data Protection Officer
25
Questions?
26
charlesrussellspeechlys.com
Related documents
Annex C - Sarva Shiksha Abhiyan
Annex C - Sarva Shiksha Abhiyan
MS WORD - Zero Project
MS WORD - Zero Project
List of Issues - Equality Commission, Northern Ireland
List of Issues - Equality Commission, Northern Ireland
Why does data protection in physical security systems matter?
Why does data protection in physical security systems matter?
Payables Optimization Tool
Payables Optimization Tool
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Download
advertisement