PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Appointing and Supporting the DPO. What Tools do you need? 14 March 2018
© 2018 TrustArc Inc Proprietary and Confidential Information
Today’s Speakers Margaret Alston Consulting Program Director TrustArc
Gonca Dhont Managing Director DPO Network Europe
2
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
Today’s Agenda • Welcome & Introductions
• Role of the DPO under the GDPR - the tasks, positioning, jobholder profile • Who Should Appoint a DPO?
• How Companies are Operationalizing this Role • Tools and Support for Success 3
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Thanks for your interest in the webinar slides! To watch the on-demand recording please CLICK HERE.
4
© 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Role of the DPO under the GDPR Gonca Dhont, Managing Director, DPO Network Europe
5
© 2018 TrustArc Inc Proprietary and Confidential Information
©
The DPO role is nothing new in Europe, but…. NO OBLIGATION IN MOST EU COUNTRIES NO UNIFIED JOB DESCRIPTION
LIMITED CAREER OPPORTUNITIES
NO UNIFIED JOB HOLDER PROFILE
A SOMEWHAT MYSTERIOUS JOB
LACK OF MANAGEMENT SUPPORT
LACK OF RESOURCES Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
Why do privacy people change jobs? “My
work is not valued. So much so that, if I leave, they’d probably shut down the privacy program”
©
there is hardly ever a budget to spend on “ All nice and well but
resources…”
not involved in new processes from the
“I am
I have an irrelevant reporting line. My
direct manager does not understand my work at all!”
beginning. If they ever come to me, it is usually at the final stage !
Source: DPO Network Europe candidate interviews Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
A profession in the making…
©
NO OBLIGATION IN MOST EU COUNTRIES
NO UNIFIED JOB DESCRIPTION
LIMITED CAREER OPPORTUNITIES
NO UNIFIED JOB HOLDER PROFILE
A SOMEWHAT MYSTERIOUS JOB
LACK OF MANAGEMENT SUPPORT
LACK OF RESOURCES Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
©
A ‘trusted compliance advisor’ or a ‘watchdog’
What are the tasks of a DPO? INFORM & ADVISE the business of its obligations
MONITOR the compliance of the business
CONTACT POINT FOR DATA SUBJECTS Privacy Insight Series - trustarc.com/insightseries
CONTACT POINT FOR THE DPA
ADVISE ON PIAs upon request #trustarcGDPRevents
© 2018 TrustArc Inc
Š
Position | Status | Way of Working o Independence
o Must be engaged properly and timely o Reporting to?
o Secrecy & confidentiality Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
©
What is the jobholder profile? (Does 1 DPO fit all?)
“ The professional qualities & The ability to fulfil the DPO tasks”
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
©
DPO’s professional qualities are defined by… 1- The core tasks of a DPO (: WHAT does a DPO do?) 2- The position & way of working (: HOW does s/he do it?) 3- The business environment (: WHERE does s/he do it?)
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
©
1- DPO qualities relevant to WHAT needs to be done INFORM & ADVISE on OBLIGATIONS ADVISE ON PIA (on request) MONITOR COMPLIANCE
PoC FOR EXTERNAL WORLD
Knowledge of the GDPR, other regional DP regs and Member State laws Knowledge of DP practises Familiarity with Information Technologies & Security practices Approachable, consulting attitude Enjoys sharing knowledge Confident personality; can interact w/ all levels Able to distil complex legal requirements into understandable language and actions Structured w/ holistic approach PR skills Diplomatic & tactful communication skills
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
©
2- DPO qualities relevant to HOW it must be done NO INSTRUCTIONS REPORTING LINE SECRECY & CONFIDENTIALITY NON-CONFLICT OF INTERESTS (if e’ee on PT basis)
Able to work under minimum supervision Assertive Person of integrity Time management skills Excellent risk assessment skills
APPROACH TAILORED TO RISK
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
©
3- DPO qualities relevant to WHERE it must be done The situation…
Point to LEVEL OF….
The DPO will have multiple country responsibility
- Knowledge of covered MS DP laws and other intersecting laws, cultural expectations including DPA reflexes - Language skills
It is an international business (vs local)
Experience w/ data transfers, ability to work with remote teams
It is a B2C environment (vs B2B)
Experience with SARs, breach management, …
It is data-driven (vs data-supported)
Tech knowledge, experience with big-data and/or new tech practices,…
There is high-risk processing (vs regular PD processing)
Understanding of InfoSec practices, experience in similar industry, …
There is high reliance on outsourcing (vs in-house solutions)
Experience w/ 3rd party risk management
Privacy program has low maturity or awareness level is low
Experience in acquiring internal buy-in, delivering staff trainings, …
The DPO will have a team
Experience in people management (sometimes not of your own!)
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
Top DPO qualities in a nutshell
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š
Š 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Who Should Appoint a DPO? Gonca Dhont, Managing Director, DPO Network Europe
17
© 2018 TrustArc Inc Proprietary and Confidential Information
Poll Question #1 Have you appointed a DPO?
1 Yes 2 No 3 Not Yet
18
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
©
Who should appoint a DPO? PUBLIC SECTOR
All public authorities (excluding courts)
PRIVATE SECTOR 1) EU-based C&Ps AND 2) Non-EU C&Ps subject to the GDPR
CORE activities consist of processing
OTHER
• that require REGULAR and SYSTEMATIC MONITORING of data subjects on a LARGE scale, or • of SPECIAL categories of data and data relating to criminal convictions and offences on a large scale.
• Voluntary DPO appointment • Required by MS laws
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
Š
Should your company appoint a DPO?
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
How Companies are Operationalizing this Role Gonca Dhont, Managing Director, DPO Network Europe Margaret Alston, Consulting Program Director, TrustArc
21
Š 2018 TrustArc Inc Proprietary and Confidential Information
Poll Question #2 How have you or are you planning to staff the DPO role? 1. 2. 3. 4.
22
Engage a freelance DPO (PT/FT) Combination of in-house & external DPOs Source internally (FT) Source internally (PT)
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
How businesses implement the DPO requirement in Europe
Š
They source qualified DPOs
They identify which entities should have a DPO Example list of entities:
-
Portugal (5) Spain (2) Germany (2) Austria (1)
They choose the right governance model Some options: CRITICAL DECISION! Many factors come into play.
-
Some options: -
-
DPO per country DPO per subregion (1 for Iberia and 1 for DEAT) A single EU DPO
-
Source internally (FT) Source internally (PT) Engage a freelance DPO (PT/FT) Combination of inhouse & external DPOs
Voluntary appointment? Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
Implementation: Theory vs Practice
©
Examples
SOUNDS POSSIBLE
BUSINESSES WANT
Location
Anywhere is possible
Mainly in Europe
Language skills
English only
Multi-lingual DPOs as per geo covered
Legal framework knowledge
EU-level regulation only
Also MS laws knowledge + DPA reflexes
# DPOs per company Single DPO for all EU entities
Multiple DPOs
Assigning DPO tasks Possible to current employee
A dedicated resource
External DPO (businesses w/ large EU presence or risky proc.)
In-house
Possible
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
©
Some FAQs / Observations
o The representative and the DPO – the same thing? o Where to station the DPO if a single EU DPO? (outside the EU? if EU, where?) o
In-house DPO or external (and businesses w/o much option)
o What should we consider when appointing on a PT basis? o What about the
a current staff member
reporting line if scope is multiple entities or countries?
o Can we appoint our in-house/external
Privacy Insight Series - trustarc.com/insightseries
counsel as our DPO?
#trustarcGDPRevents
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Tools and Support for Success Margaret Alston, Consulting Program Director, TrustArc
26
© 2018 TrustArc Inc Proprietary and Confidential Information
GDPR Compliance Roadmap Build Program and Team
Assess Risks and Create Awareness
Design and Implement Operational Controls
Manage and Enhance Controls
Demonstrate Ongoing Compliance
Identify Stakeholders
Conduct Data Inventory & Data Flow Analysis
Obtain & Manage Consent
ControlPIAs Conduct (DPIAs)
Evaluate & Control Control Effectiveness
Allocate Resources & Budget
Conduct Risk Assessment & Identify Gaps
Data Transfers & 3rd Party Management
Data Necessity, Retention & Disposal
Internal & External Reporting
Appoint DPO
Develop Policies, Procedures & Processes
Individual Data Protection Rights
Data Integrity & Quality
Privacy Notice & Dispute Resolution Mechanism
Define Program Mission & Goals
Communicate Expectations & Conduct Training
Physical, Technical & Administrative Safeguards
Data Breach Incident Response Plan
Certification
27
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
Build Program and Team • •
• •
Though the DPO has responsibilities, he or she is not alone. The organisation must offer staff and resources to support the DPO to carry out her duties. In this respect, DPOs in EU institutions and bodies can be seconded by an assistant or deputy DPO, and can rely on data protection coordinators (DPCs) in each section of the organisation. Access to resources also includes training facilities. There may be a deputy DPO, and data protection coordinators. Remember that these different roles are important, but they have the potential for conflicts.
To-Dos, Tools and Resources
• Review the organization’s Org Chart and identify what structures must be in place in order to be effective. • Clearly articulate roles and responsibilities and design to handle conflict productively. • Organize and train.
https://edps.europa.eu/data-protection/data-protection/referencelibrary/data-protection-officer-dpo_en 28
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
GDPR Compliance Roadmap Build Program and Team
Assess Risks and Create Awareness
Design and Implement Operational Controls
Manage and Enhance Controls
Demonstrate Ongoing Compliance
Identify Stakeholders
Conduct Data Inventory & Data Flow Analysis
Obtain & Manage Consent
ControlPIAs Conduct (DPIAs)
Evaluate & Control Control Effectiveness
Allocate Resources & Budget
Conduct Risk Assessment & Identify Gaps
Data Transfers & 3rd Party Management
Data Necessity, Retention & Disposal
Internal & External Reporting
Appoint DPO
Develop Policies, Procedures & Processes
Individual Data Protection Rights
Data Integrity & Quality
Privacy Notice & Dispute Resolution Mechanism
Define Program Mission & Goals
Communicate Expectations & Conduct Training
Physical, Technical & Administrative Safeguards
Data Breach Incident Response Plan
Certification
29
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
Assess Risks and Create Awareness Design and Implement Organizational Controls • • • • •
Data Inventories are an excellent place to start. Conducting GDPR Assessments gives insight into compliance gaps. Policies and procedures provide a standard against which to asses. Training (and tracking) are critical. Reporting is useful, as it gives the DPO visibility into the outcome important to that liaison role, rather than the process the organization takes to get to that outcome which is important to the process.
To Dos, Tools and Resources
• Conduct a data inventory, or review the existing data inventory to identify risk areas and topics for further compliance assessments.
• Establish clear policies and procedures and train, train, train. • Data flow maps and assessment tools may help visualize gaps, risks, and top activities. • Design higher level reports useful to the DPO. 30
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
GDPR Compliance Roadmap Build Program and Team
Assess Risks and Create Awareness
Design and Implement Operational Controls
Manage and Enhance Controls
Demonstrate Ongoing Compliance
Identify Stakeholders
Conduct Data Inventory & Data Flow Analysis
Obtain & Manage Consent
ControlPIAs Conduct (DPIAs)
Evaluate & Control Control Effectiveness
Allocate Resources & Budget
Conduct Risk Assessment & Identify Gaps
Data Transfers & 3rd Party Management
Data Necessity, Retention & Disposal
Internal & External Reporting
Appoint DPO
Develop Policies, Procedures & Processes
Individual Data Protection Rights
Data Integrity & Quality
Privacy Notice & Dispute Resolution Mechanism
Define Program Mission & Goals
Communicate Expectations & Conduct Training
Physical, Technical & Administrative Safeguards
Data Breach Incident Response Plan
Certification
31
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
Manage and Enhance Controls Demonstrate On-Going Compliance •
Data Inventory can drive: – – –
• •
Establishing check gates for DPIAs and identifying needed DPIAs. Identifying transborder data flows and adequacy mechanisms. Upstream and downstream effects of a data breach.
DPIAs can trigger consultation with the DPA regarding residual risk, which may be the responsibility of the DPO. Handling privacy escalations and requests well is critical. A sound, welltrained escalation path is the key to success.
To Dos, Tools and Resources
• Use the data inventory as a roadmap for controls. • Cross-functional teams and privacy advocates at check gates can assist. • Strong training is essential.
• Identify DPIAs that trigger DPA consultation on residual risk. • Dashboards and visual representations are useful.
32
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Thanks for your interest in the webinar slides! To watch the on-demand recording please CLICK HERE.
33
© 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Questions?
34
© 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Contacts Margaret Alston Gonca Dhont
35
malston@trustarc.com gdhont@dponetwork.eu
© 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Thank You! Register now for the next webinar in our 2018 Winter / Spring Webinar Series “72 Hours Notice: Incident Response Management Under the GDPR” and is due to take place on April 18, 2018. See http://www.trustarc.com/insightseries for the 2018 Privacy Insight Series and past webinar recordings. 36
© 2018 TrustArc Inc Proprietary and Confidential Information