Is Your Board Thinking DPO?

AUG
23
2017
AUG 23, 2017

The General Data Protection Regulation (GDPR) mandates that you have a Data Protection Officer (DPO) - Are You Ready?

(Originally appeared in the August 23, 2017 'Across the Board' Publication Reaching 22,000+ Savvy Business Leaders In Over 65 Countries - sign up here)

In May of 2016, the European Union GDPR (General Data Protection Regulation) was approved and signed into law providing additional privacy and information control for citizens based within the European Union. This regulation is not only unprecedented, but also complex legislation that will "have a dramatic impact on how global firms process, store, disseminate and purge the personal data of EU citizens" as of May 25th 2018, the effective date. The GDPR consists of 99 Articles categorized in 11 Chapters (huge) and is a major update from the outdated and technologically-defunct regulations drawn up 20 years earlier.

The General Data Protection Regulation is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU.

So why should you care about a regulation initiated and seemingly applicable only to the EU? ...Because GDPR does not just impact European firms. Organizations outside the EU will need to comply with the GDPR if they control, process or store any EU residents' personal data. That's big. And this legislation is already becoming the new standards bar for companies around the world regardless of what country/countries they reside in. In terms of data security, data handling and data storage, most local jurisdictions outside of the EU don't even come close to the level of mandates and requirements that the GDPR requires, hence making GDPR the most comprehensive and detailed regulation to-date globally. "GDPR has put an even deeper focus in recent months on cybersecurity and data protection as the May 2018 deadline gets closer," said Samantha Drake, the Director of Sales at LIFARS, a global digital forensics and cybersecurity intelligence firm based in New York City. "Our clients have not been shy in requesting assistance to ensure their data security compliance."

Potential penalties, you ask, if your company is not in compliance? Steep.

  • €10 million or 2% of global annual revenue (calculated from the prior year), whichever is greater, if it is determined that non-compliance was related to technical measures such as impact assessments, breach notifications and certifications.
  • €20 million or 4% of global annual revenue (calculated from the prior year), whichever is greater, in cases of non-compliance of key mandates of the GDPR such as non-adherence to the main principles of processing personal data, infringement of the rights of data subjects and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection.

"Both [data] controllers and processors are regulated by the GDPR," mentions Professor Daniel J. Solove, the John Marshall Harlan Research Professor of Law at George Washington University Law School, in his article 'The Hidden Force That Will Drive GDPR Privacy Compliance.' "And, controllers are on the hook under GDPR if they do not ensure that vendors who process their data do so when compliant with GDPR." Think you are protected if one of your data vendors is out of compliance? Well, you're not. GDPR is not playing the 'wasn't our company's issue' game anymore.

Main summary areas of GDPR:

  1. Clearly defines the roles and responsibilities of data 'processor' and data 'controller'  Article 4 and 24
  2. Requires clear user consent for personal data processing Article 7
  3. Requires parental consent to process any data from anyone under the age of 16  Article 8
  4. Gives EU residents more control over data - request and receive their data in a common format, request transfer of their data to another party or request that their personal data be erased  Article 16, 17, 20
  5. Data protection capabilities incorporated into system design  Article 25
  6. Mandatory notification of data breaches within 72 hours  Article 33
  7. Mandatory appointment of a Data Protection Officer (DPO)  Article 37
  8. Substantial fines of up to €20M or 4% annual global revenue for non-compliance  Article 83

Number 7 is extremely interesting - For public authorities as well as companies processing large amounts of special categories of personal data, the appointment of a Data Protection Officer (DPO) is mandatory. Organizations are expected to hire someone who has real expertise and knowledge of the latest laws and practices.

A Data Protection Officer (DPO) is an enterprise security leadership role required by the GDPR. DPOs are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

The DPO requirement has spawned some interesting discussions among CIOs, CISOs, CDOs, CTOs and a host of other technology and data-related C-Level titles in terms of responsibilities and pecking-order, but as Article 37 points out, "the Data Protection Officer may be a staff member of the controller or processor, or fulfill the tasks on the basis of a service contract." The 'service contract' mention in that sentence gets my entrepreneurial juices flowing as there is likely much opportunity here for service providers to offer end-to-end solutions in this space.

So, my recommendation to boards, board directors and their subsequent guidance to their organizations and CEOs regarding the DPO?

  • Ensure your DPO is truly an expert on the GDPR regulation and possesses a) the proper personality to dig into details and b) the innate ability to create the proper organizational relationships needed to get definitive answers. Remember that although the GDPR sets stringent requirements regarding the skillsets of the DPO, it does not provide any direction to ensure that DPOs truly possess these competences. Your first line of defense could include the requirement of a DPO certification, of which multiple training organizations are currently offering. Additionally, I have personally utilized the Data Protection Impact Assessment (DPIA) line of questioning for DPO candidates - specifically, how they would implement this process. This allows you to get a feel for not just the strategic approach a DPO candidate would take, but equally important, their path of plan implementation by probing on this one important drill-down area. (i.e. look for responses covering steps such as access, identify, govern, protect and audit)
  • Have at least one member on your board with detailed knowledge of the GDPR regulation and infuse this into your governance checkpoints. It would also be worthwhile to seek out a DPO-certified board member or have an existing board member go for the DPO training / certification to ensure proper strategic input and governance on this topic in the boardroom.

What will you consider when evaluating your DPO?

Reach out directly to Mark A. Pfister to discuss your Board's GDPR and DPO strategy.

 

Mark A. Pfister, Chairman & CEO

_______________________________________________________

 

About the Author: In addition to sitting on numerous Boards, Mark A. Pfister is a certified Board Director and advises public, private and non-profit boards in efficient and effective operations. He is the inventor of the 'Board as a Service' (BaaS) engagement model and an expert project/program manager frequently consulting on strategic global initiatives... <bio>>

Have Mark join you on his National Speaking Tours:

'Building an Effective Board For Your Company' shows business owners and leaders the immense value of creating or rebuilding an experienced 'go-to' Board of Directors or Board of Advisors - and most importantly, how to do it via a step-by-step roadmap. Make your company soar with the right foundational elements of an effective Board.

'The Strategy of Strategy' guides you through the 2500+ year history, evolution and next phase of Strategy - 'Amorphic Strategy.' Learn why strategy is so relevant to you personally as well as your business. Build and leverage your business strategy as well as your own strategy to see how these focused efforts will help you thrive and reach your full potential. (speaker video)

_____________________________________________

 

Here's Some Additional Reading

'The Board's Role in Leveraging the Gig Economy'

'The Once Taboo World of Board Director Marketing'

'Uber, Sexism & the Board'

 

★ Join Our Mailing List  ★