Privacy Today is coming soon!
The most essential requirement is that the DPO must be allowed to perform their tasks in an independent manner. They need to report to the highest management level in the organization and cannot be dismissed or penalized for doing their job (i.e. giving advice). This will require a robust governance reporting structure for the DPO to function and evidence that advice has been accepted or rejected.
GDPR Article 38 requires the organization to support its DPO by ‘providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge’[A2]. The WP29 Guidance adds that, depending on the nature of the processing operations and the activities and size of the organization, the following resources should be provided to the DPO:
Given the size and structure of the organization, it may be necessary to set up a DPO team (a DPO and his/her staff). Similarly, when the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the tasks of a DPO as a team, under the responsibility of a designated lead contact for the client. [10]
Failure to appoint a DPO where required can lead to significant ramifications. Administrative fines can be as high as the equivalent of €10m (almost £9m at time of writing) or 2% of the organization’s turnover, whichever is higher. The appointment of a DPO is not only a legal requirement, it must also be seen as an efficient way to ensure Data Protection compliance, something that is especially true when it comes to sophisticated Data Processing activities and cross-border data flows.
GDPR was a tsunami for businesses across the globe. And now that it has crashed upon the shore, the search to locate and secure personal data has become paramount. Since many businesses are not quite up to the task, here are eight strategies that can assist in the identification of personal data:
1) Looking For documentation. This might seem intuitive, and you would be right. The problem comes when considering that only the most basic of systems will be able to use this to find consumers’ personal data.
2) Manual Investigation. Again, smaller systems will be able to do this; however, the larger the system, the more labor-intensive this becomes.
3) Turning to Application or Technical Specialists. Since the application and underlying data model are no doubt more technical than a manual investigation would allow, seeking out a specialist is the right move.
4) Hiring External Consultants. Similar to technical specialists, you are outsourcing expertise. However, there can a drawback: often, there is a cost associated with a consultant getting up to speed on your particular data landscape.
5) Metadata-Driven Software Approach. An intriguing approach is to use analytics to find the metadata associated with the personal data in order to locate it. This approach is often much quicker than others.
6) Intranet or Internal System Search. Performing basic searches using existing tools in applications that house customer/consumer data.
7) Best Guess and Hypothesis Testing. While it sounds like statistical testing, this approach is predicated on observations and insights, and is frequently inaccurate as a result.
8) Turning to Software Vendors. Using new GDPR and privacy compliance tools for data mapping and data inventorying.Having a big sale, on-site celebrity, or other event? Be sure to announce it so everybody knows and gets excited about it.
One of the quick wins that an Information Governance (IG) program can bring to an organization is the implementation of a Security Awareness Training program. Information Governance programs are implemented to reduce risk and maximize information value. Security Awareness Training programs are an excellent way to reduce risk and they are easy to implement. Employees have many bad habits that
can leave a company vulnerable to data breach scenarios.
In response to the ever-increasing cybersecurity threat faced by business, a new sub-segment of the Information Security market has emerged and matured in the last five years. The Security Awareness Training market grew 54% from 2015 to 2017. Projected revenues for 2018 top $400 million dollars.
Cybersecurity threats are constantly evolving. One of the important things to understand when evaluating Security Awareness Training programs is the vendor’s cycle for new content development and deployment in the training platform. Some of the features to look for and evaluate when selecting a Security Awareness Training product are:
The European Union General Data Protection Regulation (GDPR) is being subsumed into British domestic legislation, and is now the basis for a new Data Protection Act, replacing the old 1998 Act, itself based on a 1995 EU Directive. For this reason, until the new Act receives Royal Assent, this piece continues to refer to the GDPR. The pending legislation is, overall, causing much generalised debate regarding its implications and where Data Protection practice in the UK is destined.
There has been substantial specific debate and concern about who should be appointed as the Data Protection Officer (DPO) under the GDPR within healthcare organizations. In this section we will attempt to inject some order into the confusion. This has concentrated on the GDPR itself, along with guidance from the Article 29 Working Group (WP29), the UK Information Commissioner’s Office’s (ICO), and significant discussion between the authors, both interpersonally and online with Information Governance (IG) and Data Protection professionals.
The perspective here is mostly applicable to Acute trusts within the National Health Service (NHS), although its message is likely to be applicable more broadly across the UK healthcare sector.
GDPR Article 37 states that a DPO is needed in any case where:
Whereas it is common understanding that the NHS is a public body, the term “public authority or body” is, rather unhelpfully, not defined in the GDPR. For sake of clarity, however, it is apparent by extrapolation from the definition in Schedule 1 of the Freedom of Information Act 2000, that the NHS is indeed included.
It is perfectly acceptable for public bodies to appoint a single DPO to be shared between authorities.[2] It may be beneficial that the DPO is shared between healthcare organizations working in close partnership with each other, or perhaps across several organizations within a localized partnership.
GDPR Article 38 is clear about the position of the DPO, in that the Data Controller and Data Processor shall:
The DPO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks. The Data Controller or Data Processor shall ensure that any such tasks and duties do not result in a conflict of interests.[4]
With regard to the last point, WP29 clarifies that:
As a rule of thumb, conflicting positions within the organization [A1] may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues. [5]
DPOs do not have to be lawyers, but need expert knowledge of Data Protection law and practices. From a practical perspective, they must also have an excellent understanding of the organization’s governance structure and be familiar with its IT infrastructure and technology.
The DPO role may be employed (“internal DPO”), or there may be circumstances where they may act under a service contract (“external DPO”). In both cases, they must be given the necessary resources to fulfill the relevant job functions and be granted a certain level of independence, to be able to act in the necessary “independent manner.”
The DPO does not have to be a standalone role, and may have other tasks within the organization, so long as they do not interfere with the DPO role. WP29 has made it clear that the DPO “cannot hold a position within the organization that leads him or her to determine the purposes and the means of the processing of personal data.”[6]
Many healthcare organizations already have staff in place who oversees most issues relating to Data Protection. These roles generally have titles such as Head of IG, IG Lead, IG Manager or Privacy Officer. It is anticipated that it is these roles that will be most appropriate to undertaking the DPO role within healthcare organizations with mature IG models.
GDPR Article 37 does not absolutely define the credentials for a DPO beyond “expert knowledge of data protection law and practices.”[7] The GDPR’s Recitals add that this should be “determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”[8]
Realistically, this is a member of staff with detailed expert knowledge and experience of applying IG and Data Protection principles within a healthcare environment.
The WP29 guidance clarifies this further:
Although Article 37(5) does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.
Knowledge of the business sector and of the organization of the controller is useful. The DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller. In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organization.[9]
PCI-DSS is a term used in circles where personal and customer data is stored as a part of the business process. The acronym PCI-DSS abbreviates quite a mouthful: Payment Card Industry Data Security Standard. Developed by the PCI Security Standards Council, it was intended to assist in decreasing fraud in the payments industry. While it is a global standard, it is by no means law here in the United States; each state has its own regulations in regards to cardholder data and associated fines for non-compliance. Compliance is performed by a:
Compliance is of vital importance to any organization that stores cardholder data or personal data, as these items are susceptible to theft and fraud. With the regularity of data breaches and cyber-attacks, being compliant means protecting yourself from the loss of customer trust, revenue, reputation, and customers.
Achieving compliance is an involved process that should be undertaken by an individual in the organization who understands everything involved. At its core, this “standard requires merchants and member service providers (MSPs) involved with storing, processing, or transmitting cardholder data to”:
Twelve additional requirements better address what an organization needs to do in order to be compliant:
Copyright © 2019 Privacy Today & InfoGov World Media LLC- All Rights Reserved.