Under the GDPR (General Data Protection Regulation), many organisations are required to appoint a DPO (data protection officer). Our recent webinar, ‘Challenges for data protection officers (DPOs)’, provided an introduction to the role and its requirements, covering the DPO’s responsibilities and the challenges they face. This was followed by a Q&A session with our GDPR expert Alice Turley.
In this blog, we list those questions and answers, helping you further understand the ins and outs of the role.
Webinar: Challenges for data protection officers (DPOs)
Should there be a specific board member with accountability for privacy strategy?
Yes, there should be a specific board member for oversight of and accountability for GDPR compliance, including privacy by design and by default. This helps to build the overall culture of data protection and compliance within the organisation and shows that you are leading from the top down.
What relationship should the DPO have with professional legal advisors?
Given the legal element of the DPO role, it is important for the DPO to have a close working relationship with your organisation’s legal advisors.
While a DPO should have a working knowledge of the GDPR, strategic decisions that need to be made in relation to GDPR compliance, such as determining the lawful basis for processing, or drafting specific documents such as company privacy policies and third party contracts, will require the expertise of a professional lawyer.
Are there any supervisory authorities considering certification schemes for DPOs?
Yes, several supervisory authorities are considering certification schemes for DPOs.
The Spanish Data Protection Agency (AEPD) is the first in Europe to set up regulations for a DPO certification scheme.
Can a DPO be appointed even if it’s not required?
Yes, a DPO can be appointed, but keep in mind that giving someone the title of ‘Data Protection Officer’ means that you will have to register this person with the supervisory authority, and therefore all obligations under the GDPR in relation to the DPO role then become applicable.
How many hours per week will DPOs be expectedto commit to their work? I work with part-time volunteers.
This comes down to analysing your processes and procedures and estimating the time a DPO would need to spend on each task.
I would suggest that you initially begin with mapping your organisation’s data flows. This will give you a good indication of how much time you would need to spend on the DPO aspects of the role. In addition, you will need to take into account the number of data subjects you have, and the type of data you handle.
When a right to be forgotten request is received, are backups and archive folders required to be deleted?
Yes. Unless you have a legitimate reason for not deleting this information, the data will need to be deleted from every source it is stored in, including any backups.
Before deleting this information, you must first assess the request and determine if it is applicable under the Regulation.
Remember, the right to be forgotten is not an absolute right. This right has certain criteria attached and the DPO will need to assess if the data subject actually has the right to request the data to be deleted.
At what point is a charity required to appoint a DPO?
I have dealt with a number of charities this year and all were required to appoint a DPO so, in this instance, I would say it’s highly likely that you will be required to appoint one.
Your organisation will need to complete an assessment to determine if a DPO is required.
Once you have determined that one is required, you will need to appoint them as soon as possible (within two to three months). You will need to allow time for recruiting or training someone internally to take on that role.
You will then need to register your DPO with your country’s supervisory authority.
How important is it to keep up to date with different legislation?
DPOs need to be aware of other laws. If your organisation is currently in compliance with the GDPR then you are in a good position, but you will still need to keep up to date with the national laws, data protection, legislation etc, that may affect your organisation.
I would suggest, as part of your compliance universe, including the relevant pieces of legislation that affect or could have an impact on your organisation, such as the GDPR,ePR (EU ePrivacy Regulation), PSD2, and anti-bribery and corruptions laws.
In addition, sign up to daily or weekly alerts that many organisations offer, including IT Governance Europe. Our weekly newsletter ensures you are kept up to date on cyber security and data protection issues.
Is there a guide regarding the retention timelines for different classes of information?
There isn’t one definitive retention period, as these may be subject to lation.
Your organisation will need to create a data retention schedule that lists the various information your organisation retains and the timelines you need to adhere to in regard to regulations or best practice where a law is not in place. In addition, you will need to add the reasons why this time period was selected.
So, for example, there are data retention guidelines within the consumer protection code for organisations within the financial services industry, but you will also need to have data retention guidelines under company law, HR and employment law, and health and safety legislation.
What are the key points to note for cross-border transfers if the UK leaves the EU without a deal?
I would advise you to assess your information data flows, in line with guidance from the DPC (Data Protection Commission) in Ireland and the UK’s ICO (Information Commissioners Office).
If you do have personal data that’s transferred between the UK and the EU, you need the assess the reasons and purpose for doing this. If those data flows could be completed within EU, then think about changing the process flow itself.
If the data cannot be processed in the EU, you will need to set up standard contractual clause agreements. This may sound complicated as these are legal documents, but the EU Commission’s website provides a drafted standard template. This simply needs to be filled in with both parties’ details, signed and dated. This is then considered an adequate measure for transferring personal data outside of the EU, providing also that you are maintaining suitable security arrangements in protecting the data at rest and transfer, etc.
Are you required to fulfil a DSAR (data subject access request) where there is pending legal action?
This query falls into the category of a more complex subject access request and you need to look at exactly what the request is asking for. Certainly, you are not required to do anything that would jeopardise the legal action, but it may be a case that the DSAR request won’t affect this.
In order to ensure the DSAR won’t affect legal action, you need to complete an assessment to pinpoint what exactly the data subject is requesting within the subject access request. This assessment would give you more ground to review and consider whether you would be impacting on the legal action if the information is given.
If you find that the information will impact the legal action, you will need to revert to national legislation such as the Data Protection Act 2018 as I’m sure there are grounds to hold back the information so as not to prejudice the case,
The data subject is looking for accident statement and details.
If the legal action involves the whole accident, which I suspect it does and that’s why they sent in the DSAR, but you would need to be careful and to complete a detailed assessment and document your reasons for why you believe fulfilling the DSAR would affect the legal action.
Can any staff member (not a DPO) be protected from whistleblowing on data protection matters?
This would not be covered under GDPR, but would be covered under the whistleblowing processes and procedures and whistleblowing legislation. So, this is something you would be better off referring to the legal department within your company as it’s not covered under the Data Protection Act.