Tools Needed For Appointing and Supporting DPO Role - TrustArc

PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program
Appointing and Supporting the

DPO. What Tools do you need?
14 March 2018
© 2018 TrustArc Inc Proprietary and Confidential Information

Today’s Speakers
Margaret Alston
Consulting Program Director
TrustArc
Gonca Dhont
Managing Director
DPO Network Europe
2 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Today’s Agenda
• Welcome & Introductions
• Role of the DPO under the GDPR - the tasks,

positioning, jobholder profile
• Who Should Appoint a DPO?
• How Companies are Operationalizing this Role
• Tools and Support for Success

Thanks for your interest in the webinar slides!
To watch the on-demand recording please CLICK HERE.
4 © 2018 TrustArc Inc Proprietary and Confidential Information

Role of the DPO under the GDPR

Gonca Dhont, Managing Director, DPO Network Europe

©
The DPO role is nothing new in Europe,
but….
NO OBLIGATION IN
MOST EU COUNTRIES
NO UNIFIED JOB
LIMITED CAREER DESCRIPTION
OPPORTUNITIES
NO UNIFIED
A SOMEWHAT JOB HOLDER
MYSTERIOUS JOB PROFILE
LACK OF
LACK OF MANAGEMENT
RESOURCES SUPPORT
Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

©
Why do privacy people change jobs?
“Mywork is not there is

“ All nice and well but
valued. So much so that, hardly ever a

if I leave, they’d probably shut
down the privacy program” budget to spend on
resources…”
not involved
“I am
I have an irrelevant reporting line. My
in new direct manager does not
processes from the understand my work at all!”
beginning. If they ever come to
me, it is usually at the final
stage !
Source: DPO Network Europe candidate interviews

©
A profession in the making…
NO OBLIGATION IN
MOST EU COUNTRIES
NO UNIFIED JOB
DESCRIPTION
LIMITED CAREER
OPPORTUNITIES
NO UNIFIED
JOB HOLDER
A SOMEWHAT PROFILE
MYSTERIOUS JOB
LACK OF
LACK OF MANAGEMENT
RESOURCES SUPPORT

©
A ‘trusted compliance advisor’ or a ‘watchdog’

What are the tasks of a DPO?
INFORM &
MONITOR
ADVISE CONTACT POINT
the compliance of FOR THE DPA
the business of its
the business
obligations
CONTACT POINT ADVISE

FOR DATA ON PIAs upon
SUBJECTS request

©
Position | Status | Way of Working
o Independence
o Must be engaged properly and timely
o Reporting to?
o Secrecy & confidentiality

©
What is the jobholder profile?

(Does 1 DPO fit all?)
“ The professional qualities

&
The ability to fulfil the DPO tasks”

©
DPO’s professional qualities are defined by…
1- The core tasks of a DPO

(: WHAT does a DPO do?)
2- The position & way of working

(: HOW does s/he do it?)
3- The business environment

(: WHERE does s/he do it?)

©
1- DPO qualities relevant to WHAT needs to be
done
INFORM &  Knowledge of the GDPR, other regional DP regs
ADVISE on
OBLIGATIONS
and Member State laws
 Knowledge of DP practises
 Familiarity with Information Technologies &
ADVISE ON PIA
(on request) Security practices
 Approachable, consulting attitude
 Enjoys sharing knowledge
MONITOR
COMPLIANCE  Confident personality; can interact w/ all levels
 Able to distil complex legal requirements into
PoC FOR
understandable language and actions
EXTERNAL  Structured w/ holistic approach
WORLD  PR skills
 Diplomatic & tactful
communication skills

©
2- DPO qualities relevant to HOW it must be
done
NO INSTRUCTIONS
REPORTING LINE  Able to work under minimum supervision
 Assertive
SECRECY &
CONFIDENTIALITY
 Person of integrity
NON-CONFLICT OF
INTERESTS  Time management skills
(if e’ee on PT basis)
 Excellent risk assessment skills
APPROACH
TAILORED TO RISK

©
3- DPO qualities relevant to WHERE it must
be done
The situation… Point to LEVEL OF….
The DPO will have multiple country - Knowledge of covered MS DP laws and other intersecting laws, cultural
responsibility expectations including DPA reflexes
- Language skills
It is an international business (vs local) Experience w/ data transfers, ability to work with remote teams
It is a B2C environment (vs B2B) Experience with SARs, breach management, …
It is data-driven (vs data-supported) Tech knowledge, experience with big-data and/or new tech practices,…
There is high-risk processing (vs regular Understanding of InfoSec practices, experience in similar industry, …
PD processing)
There is high reliance on outsourcing (vs Experience w/ 3rd party risk management
in-house solutions)
Privacy program has low maturity or Experience in acquiring internal buy-in, delivering staff trainings, …
awareness level is low
The DPO will have a team Experience in people management (sometimes not of your own!)

Top DPO qualities in a nutshell ©

Who Should Appoint a DPO?


Poll Question #1
Have you appointed a DPO?
1 Yes
2 No
3 Not Yet

©
Who should appoint a DPO?
PUBLIC SECTOR All public authorities (excluding courts)
PRIVATE SECTOR CORE activities consist of processing

1) EU-based C&Ps
AND • that require REGULAR and SYSTEMATIC
MONITORING of data subjects on a LARGE scale, or
2) Non-EU C&Ps
subject to the • of SPECIAL categories of data and data relating to
GDPR criminal convictions and offences on a large scale.
• Voluntary DPO appointment

OTHER
• Required by MS laws

©
Should your company appoint a DPO?

How Companies are

Operationalizing this Role
Margaret Alston, Consulting Program Director, TrustArc

Poll Question #2
How have you or are you planning to staff the DPO role?
1. Engage a freelance DPO (PT/FT)

2. Combination of in-house & external DPOs
3. Source internally (FT)
4. Source internally (PT)

©
How businesses implement the DPO
requirement in Europe
They source
qualified DPOs
They choose the
right governance
They identify model
which entities Some options:
should have a
CRITICAL
DPO DECISION!
- Source internally
(FT)
Many factors come
- Source internally
into play.
Example list of (PT)
entities: - Engage a
Some options:
freelance DPO
- Portugal (5) (PT/FT)
- DPO per country
- Spain (2) - Combination of in-
- DPO per sub-
- Germany (2) house & external
region (1 for Iberia
- Austria (1) DPOs
and 1 for DEAT)
- A single EU DPO
Voluntary
appointment?

©
Implementation: Theory vs Practice
Examples SOUNDS POSSIBLE BUSINESSES WANT
Location Anywhere is possible Mainly in Europe
Language skills English only Multi-lingual DPOs as per

geo covered
Legal framework EU-level regulation only Also MS laws knowledge
knowledge + DPA reflexes
# DPOs per company Single DPO for all EU Multiple DPOs
entities
Assigning DPO tasks Possible A dedicated resource
to current employee
External DPO Possible In-house

(businesses w/ large
EU presence or risky
proc.)

©
Some FAQs / Observations
o The representative and the DPO – the same thing?
o Where to station the DPO if a single EU DPO? (outside the EU? if EU,
where?)
o In-house DPO or external (and businesses w/o much option)
o What should we consider when appointing a current staff member

on a PT basis?
o What about the reporting line if scope is multiple entities or countries?
o Can we appoint our in-house/external counsel as our DPO?

Tools and Support for Success

Margaret Alston, Consulting Program Director, TrustArc
26
© 2018 TrustArc Inc Proprietary and Confidential Information
GDPR Compliance Roadmap
Assess Risks Design and Manage and Demonstrate

Build Program Implement
and Create Operational Enhance Ongoing
and Team
Awareness Controls Controls Compliance
Conduct Data ControlPIAs Evaluate &

Identify Obtain & Manage Conduct
Inventory & Data Control Control
Stakeholders Consent (DPIAs)
Flow Analysis Effectiveness
Allocate Conduct Risk Data Necessity, Internal &

Data Transfers & 3rd
Resources & Assessment & Party Management Retention & External
Budget Identify Gaps Disposal Reporting
Privacy Notice
Develop Policies,
Individual Data Data Integrity & & Dispute
Appoint DPO Procedures & Protection Rights Quality Resolution
Processes
Mechanism
Communicate Physical, Technical Data Breach

Define Program
Expectations & & Administrative Incident Response Certification
Mission & Goals Safeguards
Conduct Training Plan

Build Program and Team
• Though the DPO has responsibilities, he or she is not alone.
• The organisation must offer staff and resources to support the DPO to
carry out her duties. In this respect, DPOs in EU institutions and bodies
can be seconded by an assistant or deputy DPO, and can rely on data
protection coordinators (DPCs) in each section of the organisation.
Access to resources also includes training facilities.
• There may be a deputy DPO, and data protection coordinators.
• Remember that these different roles are important, but they have the
potential for conflicts.
To-Dos, Tools and Resources
• Review the organization’s Org Chart and identify what structures must be in
place in order to be effective.
• Clearly articulate roles and responsibilities and design to handle conflict
productively.
• Organize and train.
https://edps.europa.eu/data-protection/data-protection/reference-
library/data-protection-officer-dpo_en

and Team


Privacy Notice
Develop Policies,
Processes
Mechanism

Define Program

Assess Risks and Create Awareness
Design and Implement Organizational
Controls
• Data Inventories are an excellent place to start.
• Conducting GDPR Assessments gives insight into compliance gaps.
• Policies and procedures provide a standard against which to asses.
• Training (and tracking) are critical.
• Reporting is useful, as it gives the DPO visibility into the outcome
important to that liaison role, rather than the process the organization
takes to get to that outcome which is important to the process.
To Dos, Tools and Resources
• Conduct a data inventory, or review the existing data inventory to identify risk
areas and topics for further compliance assessments.
• Establish clear policies and procedures and train, train, train.
• Data flow maps and assessment tools may help visualize gaps, risks,
and top activities.
• Design higher level reports useful to the DPO.


and Team


Privacy Notice
Develop Policies,
Processes
Mechanism

Define Program

Manage and Enhance Controls
Demonstrate On-Going Compliance
• Data Inventory can drive:

– Establishing check gates for DPIAs and identifying needed DPIAs.
– Identifying transborder data flows and adequacy mechanisms.
– Upstream and downstream effects of a data breach.
• DPIAs can trigger consultation with the DPA regarding residual risk, which
may be the responsibility of the DPO.
• Handling privacy escalations and requests well is critical. A sound, well-
trained escalation path is the key to success.
To Dos, Tools and Resources
• Use the data inventory as a roadmap for controls.

• Cross-functional teams and privacy advocates at check gates can assist.
• Strong training is essential.
• Identify DPIAs that trigger DPA consultation on residual risk.
• Dashboards and visual representations are useful.

Thanks for your interest in the webinar slides!
To watch the on-demand recording please CLICK HERE.

Questions?

Contacts
Margaret Alston malston@trustarc.com
Gonca Dhont gdhont@dponetwork.eu

Thank You!
Register now for the next webinar in our 2018 Winter / Spring
Webinar Series “72 Hours Notice: Incident Response Management
Under the GDPR” and is due to take place on April 18, 2018.
See http://www.trustarc.com/insightseries for the 2018

Privacy Insight Series and past webinar recordings.

Tools Needed For Appointing and Supporting DPO Role - TrustArc

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tools Needed For Appointing and Supporting DPO Role - TrustArc

Uploaded by

Copyright:

Available Formats

PRIVACY INSIGHT SERIES

Winter / Spring 2018 Webinar Program

Appointing and Supporting the

© 2018 TrustArc Inc Proprietary and Confidential Information

2 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

• Welcome & Introductions

• Role of the DPO under the GDPR - the tasks,

• Who Should Appoint a DPO?

• How Companies are Operationalizing this Role

• Tools and Support for Success

3 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Thanks for your interest in the webinar slides!

To watch the on-demand recording please CLICK HERE.

4 © 2018 TrustArc Inc Proprietary and Confidential Information

Role of the DPO under the GDPR

5 © 2018 TrustArc Inc Proprietary and Confidential Information

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

“Mywork is not there is

valued. So much so that, hardly ever a

Source: DPO Network Europe candidate interviews

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

A ‘trusted compliance advisor’ or a ‘watchdog’

CONTACT POINT ADVISE

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Position | Status | Way of Working

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

What is the jobholder profile?

“ The professional qualities

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

DPO’s professional qualities are defined by…

1- The core tasks of a DPO

2- The position & way of working

3- The business environment

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

REPORTING LINE  Able to work under minimum supervision

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

It is a B2C environment (vs B2B) Experience with SARs, breach management, …

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Who Should Appoint a DPO?

17 © 2018 TrustArc Inc Proprietary and Confidential Information

Have you appointed a DPO?

18 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

PUBLIC SECTOR All public authorities (excluding courts)

PRIVATE SECTOR CORE activities consist of processing

• Voluntary DPO appointment

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

How Companies are

21 © 2018 TrustArc Inc Proprietary and Confidential Information

1. Engage a freelance DPO (PT/FT)

22 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Location Anywhere is possible Mainly in Europe

Language skills English only Multi-lingual DPOs as per

External DPO Possible In-house

Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

o The representative and the DPO – the same thing?

o In-house DPO or external (and businesses w/o much option)

o What should we consider when appointing a current staff member

o What about the reporting line if scope is multiple entities or countries?