If you are in an organization that has any clients, partners, or employees in Europe, you’ve almost certainly heard of GDPR — but how familiar are you with the Data Protection Officer role?
When we think about the cybersecurity changes that organizations make as part of their GDPR efforts, we often think of the Data Protection Officer as being the driving force. Under GDPR, the Data Protection Officer has very specific obligations that have much to do with cybersecurity. The problem? GDPR specifies the responsibilities in a manner that is very formal and unapproachable. In this post, we’ll turn the complex language of Article 39 of GDPR into plain language discussion of some of the factors that you should consider.
Inform & Advise of Obligations
If you love reading legalese (we don’t), you’ll definitely love reading this part of Article 39’s description of the Data Protection Officer’s responsibilities:
“to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions”
Want to know what happens in the real world, when companies are trying to comply with GDPR and they happen upon this article? The best companies interpret this clause as having a lot to do with (1) Employee Training, and (2) Coaching. We’re not saying that the obligations stop there, but we want to share why leading organizations focus on those two areas.
On the Employee Training front, when a Data Protection Officer is required to “inform and advise” various stakeholders, the scalable approach to making this happen is through training. The norm when a company is first coming into compliance with GDPR is to do companywide training on GDPR to catch everyone up. Then, to provide GDPR training to each new employee that joins the team over time. Lastly, to make the companywide training recurring. Sound hard? It was very hard for those of us that lived through becoming compliant with GDPR in time for the Memorial Day 2018 deadline. But now? It’s not so hard. Companies like Havoc Shield offer online, on demand, audit logged training for GDPR. And it’s not even hard to complete. We could have you set up as soon as today, if you’d like.
On the Coaching front, put yourself in the shoes of an engineer that is implementing a new form on your website. The form happens to handle some PII inputs. The decisions at hand relate to both security and privacy in a way that is interdependent. Where will the information be stored? Is the submission being encrypted in-transit? At-rest? If a user browses the form from Germany, what server handles the submission? If a user browses from the United States, what server handles the submission? Is the submission tagged in a way that makes it easy to remove all data about the submission, if the user later requests to “be forgotten”? All of these discussions are perfect for a coaching conversation.
The best Data Protection Officers are approachable, and encourage ad hoc interactions with employees that arrive at a crossroads with regard to data handling and want to discuss the implications of the ways that they could proceed. Want employees to comply with GDPR? Give them an approachable Data Protection Officer that welcomes and encourages conversation, and approaches those conversations from a “coach” mentality.
Let’s go back to Article 39 again. Next up is this piece, which reads somewhat less enjoyably than a sonnet:
“to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits”
Here we’ll focus on the top things that we see leading Data Protection Officers do, related to this clause. Again, we’re not going to be thorough here — today we’ll just talk about the biggest things that we see Data Protection Officers do “right” when it comes to this clause.
Monitoring compliance for GDPR has much to do with a compromise between (1) Systems and (2) Manual Mitigations. Imagine that you are a Data Protection Officer and you want to monitor your organization’s compliance with the so-called “Right to be Forgotten” — one of the most well-known portions of GDPR. You could insist that your organization develops a fully-automated way for users to signify that they want to be forgotten and have all of their data records immediately and automatically expunged — with no human intervention. We’d call that the “systems” approach. We’d also call it insanely difficult for most small businesses to achieve — getting that done is the PhD level course in GDPR implementations.
Or, as Data Protection Officer, you could encourage your organization to automate as much of the process as possible, but accept that there may initially be some steps that are nudged along by employees manually. You could focus on getting them closer and closer to a fully automated system every month. And you could build rapport with employees by empathizing with the fact that they have competing demands for their time, and that compliance as a combination of Systems and Manual Mitigations is a workable path to compliance.
The best Data Protection Officers take this “Systems plus Manual Mitigations” approach to monitoring compliance. If a report about the users that requested the right to be forgotten isn’t a daily automated report, but instead is a weekly semi-automated report, the best Data Protection Officers thank, encourage, and challenge employees to continue their GDPR compliance journey in a positive way.
Again, this compliance monitoring for GDPR is inextricably linked with cybersecurity. Sorting out a monitorable way to store, encrypt, de-identify, and expunge user data has much to do with choices related to data transmission, storage, and retrieval — with cybersecurity implications at every step. A strong GDPR implementation should almost certainly also improve the organization’s cybersecurity posture.
Data Protection Officers: What Else
Although we’re not going to cover it in detail in this post, Data Protection Officers are also responsible for certain interactions with authorities, and for handing Data Protection Impact Assessments. More on that next time.
In the meantime, please keep coming back to Havoc Shield for additional insights about cybersecurity strategies that can help your organization advance to the next level of cyber safety. And, if you need a hand with GDPR compliance, please do tap into our online, on-demand, modern training for GDPR — and the many controls in our platform that will help you along your journey to GDPR compliance.