Professional Documents
Culture Documents
Margaret Alston
Consulting Program Director
TrustArc
Gonca Dhont
Managing Director
DPO Network Europe
NO OBLIGATION IN
MOST EU COUNTRIES
NO UNIFIED JOB
LIMITED CAREER DESCRIPTION
OPPORTUNITIES
NO UNIFIED
A SOMEWHAT JOB HOLDER
MYSTERIOUS JOB PROFILE
LACK OF
LACK OF MANAGEMENT
RESOURCES SUPPORT
not involved
“I am
I have an irrelevant reporting line. My
in new direct manager does not
processes from the understand my work at all!”
beginning. If they ever come to
me, it is usually at the final
stage !
NO OBLIGATION IN
MOST EU COUNTRIES
NO UNIFIED JOB
DESCRIPTION
LIMITED CAREER
OPPORTUNITIES
NO UNIFIED
JOB HOLDER
A SOMEWHAT PROFILE
MYSTERIOUS JOB
LACK OF
LACK OF MANAGEMENT
RESOURCES SUPPORT
INFORM &
MONITOR
ADVISE CONTACT POINT
the compliance of FOR THE DPA
the business of its
the business
obligations
o Independence
o Must be engaged properly and timely
o Reporting to?
o Secrecy & confidentiality
NO INSTRUCTIONS
Assertive
SECRECY &
CONFIDENTIALITY
Person of integrity
NON-CONFLICT OF
INTERESTS Time management skills
(if e’ee on PT basis)
Excellent risk assessment skills
APPROACH
TAILORED TO RISK
The DPO will have multiple country - Knowledge of covered MS DP laws and other intersecting laws, cultural
responsibility expectations including DPA reflexes
- Language skills
It is an international business (vs local) Experience w/ data transfers, ability to work with remote teams
It is data-driven (vs data-supported) Tech knowledge, experience with big-data and/or new tech practices,…
There is high-risk processing (vs regular Understanding of InfoSec practices, experience in similar industry, …
PD processing)
There is high reliance on outsourcing (vs Experience w/ 3rd party risk management
in-house solutions)
Privacy program has low maturity or Experience in acquiring internal buy-in, delivering staff trainings, …
awareness level is low
The DPO will have a team Experience in people management (sometimes not of your own!)
1 Yes
2 No
3 Not Yet
How have you or are you planning to staff the DPO role?
o Where to station the DPO if a single EU DPO? (outside the EU? if EU,
where?)
26
© 2018 TrustArc Inc Proprietary and Confidential Information
GDPR Compliance Roadmap
Privacy Notice
Develop Policies,
Individual Data Data Integrity & & Dispute
Appoint DPO Procedures & Protection Rights Quality Resolution
Processes
Mechanism
• Review the organization’s Org Chart and identify what structures must be in
place in order to be effective.
• Clearly articulate roles and responsibilities and design to handle conflict
productively.
• Organize and train.
https://edps.europa.eu/data-protection/data-protection/reference-
library/data-protection-officer-dpo_en
28 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc
GDPR Compliance Roadmap
Privacy Notice
Develop Policies,
Individual Data Data Integrity & & Dispute
Appoint DPO Procedures & Protection Rights Quality Resolution
Processes
Mechanism
• Conduct a data inventory, or review the existing data inventory to identify risk
areas and topics for further compliance assessments.
• Establish clear policies and procedures and train, train, train.
• Data flow maps and assessment tools may help visualize gaps, risks,
and top activities.
• Design higher level reports useful to the DPO.
Privacy Notice
Develop Policies,
Individual Data Data Integrity & & Dispute
Appoint DPO Procedures & Protection Rights Quality Resolution
Processes
Mechanism
Questions?
Contacts
Margaret Alston malston@trustarc.com
Gonca Dhont gdhont@dponetwork.eu
Thank You!
Register now for the next webinar in our 2018 Winter / Spring
Webinar Series “72 Hours Notice: Incident Response Management
Under the GDPR” and is due to take place on April 18, 2018.