With GDPR in force, all companies operating in the EU are obliged to have a data protection officer (DPO) in place. This role is typically not large enough for most companies to employ someone full time, but there are significant risks in combining it with another function. The data protection officer's area of expertise is very different from other compliance areas and requires someone who can drill down deeply into both product and operational practices. At Dativa, we’ve been helping clients who cannot justify the expense of a full-time DPO with a service we call the “virtual data protection officer.”
A Dativa virtual DPO penetrates deep into the product and operations, something that requires a detailed understanding of the many data flow paths. The virtual DPO will be asking questions across the business and ensuring full compliance. Moreover, Dativa’s virtual DPOs honestly advocate “privacy by design.”
What are your legitimate reasons to collect data?
GDPR presupposes that businesses need to collect data to operate. However, GDPR restricts data collection to what is required to fulfill your obligations (this is data minimization). Also, GDPR requires that you anonymize detailed personal information you need, for example, a person’s complete home address, which you could anonymize by recording only the country or county and not street and zip code. GDPR also requires that private data that is collected must be stored separately and pseudonymized to increase the protection of private data.
Furthermore, GDPR stipulates that consumers have a right to have their data “forgotten,” and a DPO must ensure that processes are in place so that the company can “forget” data on request or where compliance requires it. Part of implementing the ability to forget is to have a policy that clearly defines how long collected data may be retained. Equally important is ensuring that data is kept only as long as is necessary. Forgetting, however, does not always entail removing private data. The data may contain valuable insights that can be used in the future (for example, historical support questions posed may be useful in creating automated support services. Therefore, a DPO must ensure that anonymized data cannot be profiled to the original end-users.
What if we want to do more with the data?
A DPO needs to maintain full visibility regarding any uses of consumer data that go beyond the standard operations of the business—including profiling consumers and sharing data with third parties. Here the DPO must guarantee that consent is obtained through opt-in and logged, so it is possible to demonstrate to enforcement agencies how and when data was shared.
Profiling can provide many benefits to the organization, but the DPO must be clear on where profiling of consumers takes place. To comply with GDPR, companies must be clear upfront if data is to be used for performing machine learning that may result in profiling. If the profiling has a direct impact on end-users, the company must make it clear how a person is profiled, and the outcome of them being profiled in that way.
These restrictions also apply to sharing data with external parties, which requires extra precautions because the use of the data provided is frequently out of one's control. To understand the many the risks of sharing data, it is essential first to perform a Data Privacy Impact Assessment that will help highlight all potential risks and consequences. Sharing of private data may require an extra level of data handling, for example, through a Self Sovereign Identity framework.
Establishing the role of a data protection officer
GDPR requires that a company’s DPO be identified regardless of whether or not a full-time DPO position is needed. A management structure that avoids conflicts of interest and lack of accountability is a ‘must’ to help ensure the fulfillment of a DPO’s responsibilities.
The law requires the DPO to: • Be involved in all decisions relating to the processing of private data • Report to the highest management level • Not be dismissed or penalized in performing duties as data protection officer
If, as often happens, the DPO role is assigned to an existing employee who has other responsibilities, there is a significant risk of conflicts of interest. Having an independent DPO has the added benefit that it demonstrates to customers, investors, and partners that personal-data privacy is taken seriously. Here is a template for a DPO’s job description:
• Increase awareness through training • Securely maintain the organization’s information related to GDPR compliance • Provide guidance regarding data protection • Cooperate with the enforcement authority • Sign off on regular Data Protection Impact Assessments • Lead on establishing a “privacy by design” culture across the organization • Monitor compliance via audits or automatic reports
To be truly useful, the DPO must manifest a convergence of mindsets—the Governance mindset ensures GDPR is followed; the Security mindset keeps sensitive data safe, and a Strategic mindset pursues opportunities and insights for using the data. A Dativa virtual DPO provides all of this.
The Dativa offering
Dativa offers the virtual data protection officer service to organizations that cannot justify the need for a full-time data protection officer. Regardless of the extent of your organization’s compliance with GDPR, Dativa can be a valuable partner. We can provide a virtual data protection officer, increase awareness through workshops, or perform an in-depth GDPR assessment. Our strengths are in the understanding of the data flow and our expertise in the data science that can be applied to the data.
For more information, contact us below.