Prior to the enforcement of GDPR data protection, there are currently data protection regulations and recommendations in place, throughout the various member states of the EU. One of the main reasons for the introduction of the General Data Protection Regulation (GDPR) is to try and bring a level of uniformity in the way that data protection is addressed throughout the EU.
The Data Protection Authority (DPA) in each member state will still have some leeway in areas such as the imposition of fines for non-compliance. But, it’s expected that the various DPAs will liaise with each other; helping to create the required uniformity.
The issue of GDPR certification
There are two things it’s important to note about GDPR data protection certification; that it does not exist at present and that it is not compulsory.
Yes, there are plenty of advertisements out there, for people who offer certification in the requirements of the GDPR. But, while this type of certification may be useful, it’s not officially recognised and it will not ensure that any business or organisation meets its compliance obligations.
Articles 42 and 43 of the GDPR do make reference to the recommendation that certification authorities are introduced, offering certification which is authorised by the relevant DPA. But, this certification has yet to be introduced in the member states of the EU. Although, DPAs such as the Information Commissioners Office (ICO) in the UK have stated that certification will be introduced.
Even if this recognised certification is introduced, it does not help a business or organisation to escape its obligation to ensure that it complies with the GDPR, and that it can provide proof of that compliance. Yes, receiving recognised certification might be a good thing, but it is not the only thing that a business or organisation should be aiming to achieve.
What a business or organisation has to do
In order to comply with the stipulations of GDPR data protection, businesses and organisations need to be preparing them, in readiness for the implementation date of 25 May 2018. This preparation should involve:
- Carrying out an audit of all personal data that is currently held and processed.
- Knowing what data is held, where it’s held and who is responsible for the management of all personal data.
- Making sure that all necessary consent is in place and that details are held regarding when and how the consent was obtained and who obtained it.
- Ensuring that processes and procedures are put in place for processing data in a secure manner.
- Ensuring that processes and procedures are fully documented, so that compliance can be demonstrated.
When it comes to GDPR data protection, it’s vital that every business or organisation does not just ensure that it’s compliant, but also that it can demonstrate its compliance, by the provision of appropriate documentation.
How the role of the Data Protection Officer fits with GDPR data protection
The role of the Data Protection Officer (DPO), is already one which exists within many businesses and organisations. This is especially the case in Germany where businesses are required to have a DPO as part of data protection regulations. It’s this German model that has helped form the intentions of the GDPR, when it comes to the role of the DPO.
There is actually something to be said for a business or organisation having a DPO in place. It means that there is a person whose role is to advise the board, and the employees, about important aspects of compliance. This can make it easier for the business or organisation to meet its obligations concerning GDPR.
But, not every business or organisation is required to have a DPO in place, under the GDPR. The regulation states that businesses need to have a DPO in place if they are involved in data processing which requires the large scale systematic monitoring of data subjects, or if they are involved in the large scale processing of special types of sensitive personal data, such as that which involves sexual orientation, health information, or political or religious beliefs. There is no definitive information about what constitutes large scale processing or systematic monitoring. But, it’s more likely that a business which relies on trading in credit details will be required to have a DPO in place, than one which only processes a small amount of personal data, in respect of its own employees.
What qualifications does a DPO need?
We have already taken a brief look at certification for GDPR data protraction, but what sort of certification does a DPO need? This is an important question to ask, when you consider that there may well be a shortage of qualified individuals within the EU, due to the increase in the number of DPOs required.
It’s interesting to note that the GDPR does not stipulate that a DPO requires any qualifications in order to undertake the role. But, this does not mean that someone undertaking the role of DPO does not need to have specialised knowledge. They require:
- An in-depth knowledge of the GDPR, and how it effects the business or organisation they are working within.
- Knowledge of how to develop and implement data protection processes and procedures.
If your business or organisation is thinking of moving someone into the role of DPO, it can do so, as long as the person is sufficiently trained and experienced to possess the required knowledge. It’s also important to note that there should not be any conflict of interest for the DPO. They need to be able to operate independently, and advise on aspects of data protection with no influence from the board or the CEO.
Why everyone needs to be informed about GDPR data protection
The issue of GDPR data protection is not something that should only concern the board and the DPO, if one is in place. Everyone who works within a business or organisation, and is involved with the processing of personal data, is responsible for helping to ensure that the stipulations of the GDPR are complied with. This is why it’s so important to ensure that all employees know what the GDPR is about, and what their responsibilities are.
Under the GDPR, any data controller or data operator can be reported for breaches of the GDPR, by a data subject. This widens the scope for accusations which can only currently be levelled at data controllers. You can see why it’s so important to ensure that everyone involved in the processing of personal data understands the requirements of the GDPR, and complies with them.
GDPR data protection – the responsibility of reporting a data breach
One of the most important responsibilities detailed in the GDPR is that of reporting a data breach to the relevant DPA. This report needs to be made within 72 hours, except where there is no risk to the rights or freedoms of any data subjects. It’s important to more that the clock only starts ticking on the 72 hours from the time when it’s reasonable to assume that the business or organisation should be aware of the breach.
The data subjects affected by the breach should also be informed without undue delay. How a business or organisation decides to contact data subjects is going to depend on the breach itself, and what the risks to the freedoms or rights of the data subjects are. It could be that the risks have been reduced by the business, or that the encryption of personal data renders it useless following a breach. This means that it may be sufficient to make a general announcement, informing people about the breach.
GDPR data protection is one of the most talked about subjects in the business world right now. It’s a global talking point, as the GDPR affects any business that processes the personal data of EU citizens, not just those businesses that are based in an EU state. If your business or organisation is not ready to comply with the GDPR, it could be putting itself at risk of receiving a fine or sanction.
If your business or organisation is one of those that should have a DPO in place by 25 May 2018, you need to make sure that this happens. Given the level of knowledge that is required to complete the DPO role, this is an area that you should be addressing right now. Doing so means that you can ensure that any necessary training is completed. Of course, this applies to awareness and training required by any employees, not just DPOs. Making sure that everyone is aware of the GDPR, and what their responsibilities are, is one of way of helping to ensure that your business or organisation is compliant. Being compliant means that you can avoid the imposition of large fines. It also means that you are not at risk of the reputational damage that non-compliance can bring.