5 Critical GDPR Tasks Your DPO Must Be Empowered to Do Now
Preparing for a career as a data protection officer (DPO) is serious business. Besides the right educational background and actual on-the-job experience needed to be proficient, data protection officers need to have access to the right tools to enable them to work quickly, efficiently and as thoroughly as possible.*
That’s where Dropsuite comes in. On August 26, 2019, we announced our latest technology update; a major expansion of GDPR capabilities within our popular Email Archiving product line. This latest utility release advances the company’s vision to safeguard, store, discover, export and delete data to its full potential, empowering data protection officers to easily fulfill time-sensitive GDPR compliance requests by allowing them to define who can access particular types of data across the organization to control access, as well as how that data can be managed.
Before we delve too much into the details about what Dropsuite’s tool does and why DPOs should take notice, let’s take a moment to recap what GDPR is and how the role of the data protection officer is crucial for compliance successful.
GDPR: A Recap
European Union created the General Data Protection Regulation (GDPR) so that individuals could reclaim power over their data over organizations that collect and use such data. Under GDPR, individuals have the following rights:
- Access: Request access to their personal data, know how their data is used and get a free copy
- Forget: Right to withdraw consent from a company to use their personal data and the right to have that data deleted
- Portability: A right to transfer personal data from one service provider to another
- Informed – Individuals must be informed before data is gathered and consent must be given to collect data, rather than implied
- Corrected: Requests for data to be updated if it’s incorrect
- Restrict Processing: Request that data not used for processing
- Object: Immediately cease processing of their personal data for direct marketing
- Notified: All data breaches potentially impacting a personal data must be communicated to each individual
Amazingly, GDPR has shifted power to the consumer, and the task of complying with the rules and regulation falls to businesses. Non-compliance can be costly — up to 20,000,000 Euros or 4% of revenue, whichever is greater.
Even though GDPR was created by the EU, it applies to all businesses in all countries, regardless of whether the data processing takes place in the EU or not. If your company offers goods or services to EU citizens, then it’s most-likely subject to GDPR. This surprises a lot of people!
Forward-thinking businesses that work with personal data have appointed data protection officers to ensure GDPR compliance.
Tasks of the DPO
The data protection officer’s job is not easy. There is a lot of grey area when it comes to ‘GDPR responsibilities’ — there are the formal GDPR rules to adhere and respond to, businesses compliance processes to follow, as well as regulated responsibilities pertaining to the retention and archiving of business communications. Being a successful DPO means being the steward of legal, compliance, public policy, IT, as well as data protection and privacy.
According to the European Data Protection Supervisor (EDPS), the primary role of the data protection officer is to ensure that the processing of personal data (staff, customers, providers, etc) is done in compliance with the applicable data protection rules. The EDPS outlines seven key tasks every DPO should master:
- Ensure controllers and data subjects are informed about their data protection rights, obligations and responsibilities
- Give advice and recommendations to the organization about the application of data protection rules
- Create a register of processing operations within the organization and notify the EDPS of any risks
- Ensure data protection compliance within the organization and help it be accountable
- Handle queries or complaints on request by the organization
- Cooperate with the EDPS in responding to requests
- Draw the organization’s attention to any failure to comply with the applicable data protection rules
Getting Serious About GDPR
Now that time has passed and several large fines have been issued by the EU’s Information Commissioner’s Office (ICO), GDPR is starting to be taken more seriously by business organizations throughout the world.
During the first year of GDRP (it’s 1-year anniversary was May 25, 2019), fines of €56M were issued, with 200,000+ investigations (64,000 of which were upheld). However, these scope of these penalties are a bit misleading; €50M was one fine against Google.
More recently, British Airways was penalized $230 million in connection with a significant 2018 data breach. Marriott International was fined $123 million after a November 2018 data breach that exposed personal data contained in approximately 339 million customer records, of which 30 million were residents of the European Economic Area (EEA).
Not all GDPR violations end up with huge fines being issued. In fact, only a small number of fines have been issued to date. But corrective warnings have been levied against dozens of small businesses throughout the EU.
For example, of the UK Information Commissioner’s Office’s 124 cases listed on their website as of June 2019, there were 29 enforcement notices requiring companies to stop processing data in a certain way, 11 requests to modify business behaviors and 72 monetary penalties issued.
In Germany, a chat provider found to have an unsecured platform as was required to add professional-strength encryption/access controls.
There are many examples like this across the EU of smaller organizations being issued corrective notices, but not being fined. However, GDPR fines may ramp in the coming years. Time will tell.
Dropsuite Empowers DPOs to Perform 4 Critical GDPR Tasks
With GDPR Responder 2.0, Dropsuite empowers the Data Protection Officer with the ability to more easily manage their GDPR compliance responsibilities around archived business communications, such as emails and their attachments (Dropsuite is compatible with Microsoft Exchange Online – Office 365, Hosted Exchange and G Suite Gmail).
Dropsuite empowers DPOs to perform 5 critical tasks:
- DPO manager role: Data Protection Officers (DPOs) can assign role, review GDPR requests, review/flag/export/delete data, and explain why data can/cannot be deleted
- Delegated access permissions: Data Protection Officers (DPOs) can assign and delegate internal/external access permissions for GDPR discovery/review for auditors
- SuperSearch: Choose from 20 different search attributes to greatly shorten the GDPR discovery process
- Right to be forgotten: Data Protection Officers (DPOs) or assignees can export a copy of found data under GDPR Article 15-1 for the requester or delete the data under GDPR article 17-1 that does not conflict with business regulations
- Message level retention and legal hold: Data Protection Officers (DPOs) or assignees can add retentions from 6 months to indefinitely on individual or bulk messages, add legal holds for indefinite periods on individual or bulk messages
Over time, additional DPO empowerment features and utility will be added to the Dropsuite platform as GDPR and other international data privacy rules play out.
Why Dropsuite’s GDPR Tools Are Important
Flexibility and utility in your compliance tools are essential to meeting one’s GDPR obligations. For the DPO, here are three examples:
- Your company was contacted by an EU customer with a “Right To Erasure” request. The GDPR article 17-1 states a data controller must comply with an erasure request “without undue delay”. Technological or budgetary shortcomings cannot be used to delay an erasure request. You must act quickly. What do you do?
- Your firm was contacted by an EU customer who wants a copy of all data stored by your firm. GDPR Article 15-1 stipulates the EU user must receive a copy of all data on file for that person. But how do you find it in the maze of systems, databases and file formats that exist in Office 365?
- GDPR maintains a team of supervisory regulators per Article 31, and one of them has contacted your firm for data related to a reported rules transgression that occurred 10 months ago (GDPR Article 31). You have to quickly gather data and information detailing the who, what, when, why, where and to whom of that potential transgression. How do you search for, find and provide all this data going back so many months?
The answers? Utilize Dropsuite to speed up your GDPR tasks within Microsoft Exchance Online (O365), G Suite Gmail or Hosted Exchange to ensure regulatory compliance.
Beyond GDPR, from California to Portugal, as more and more countries adopt various data privacy rules and methods of enforcement, many ‘international flavors’ of data compliance will likely roll out – requiring DPOs to continually adjust and improve what they do best. We hope that by learning more about GDPR, the role and responsibility of the DPO, as well as Dropsuite’s GDPR Responder 2.0, has helped you better understand the the essential GDPR tasks and utilities that every DPO needs in their toolkit.
* According to an article by Thomas Shaw of the International Association of Privacy Professionals (IAPP), it is recommended that the DPO be a licensed lawyer, with a degree in law. Other members of the IAPP recommend the DPO have Doctor of Philosophy (Ph.D.) or a Master of Laws (LLM) degree specializing in the subject matter (IT, compliance, auditing, information management, etc). As yet, there are no formal educational requirements to become a Data Protection Officer. Source: https://iapp.org/news/a/what-skills-should-your-dpo-absolutely-have/