Since the GDPR entered into force on 25th of May 2018 the regime has implemented new practices into the processing and storing of personal data. Here are five of the most important considerations that every DPO should have in mind.
1. Choosing a Lead Supervisory Authority
In case the organisation in which you are hired as a DPO is operating in EU-markets in general and its processing activities involve processing on a large scale it is likely that you’ll need to choose a Lead Supervisory Authority (LSA). In other words, the LSA is the authority with the primary responsibility for dealing with the company’s cross-border data processing activities.
The process of determining the LSA is not easy. However, ones it is done the relevant proper documentation needs to be put in place, explaining why and who chose this exact LSA.
2. Data Processing Agreements with third-parties
Special attention must be paid when selecting the third-parties that will have access to personal data when the organisation has as a controller. Using GDPR terms, those third-parties will likely be processors and according to the GDPR it should be checked and proven by the controllers that the processors are applying at least the same level of protection as them. Among the levels of the protection, factors such as appropriate technical and organisational measures, should be considered.
In case of a data breach, the controllers should rely on all those elements of the data processing agreement in order for the relevant measures to be put in place. For instance the steps that the processor should take to assist the controller and the level of information regarding the breach that the processor needs to provide to the controller.
It is strongly advised that for all those reasons (data breach, subject access request and many more) that could become a reality in the day-to-day work, that the data processing agreement is concrete and adequate.
3. Data breaches
It is vital that all the organisations in the scope of GDPR develop data breach procedures and response plans to notify authorities in case of data breaches. It could even be the case when special drills are performed so in case of an actual data breach all the responsible people act calmly and in confidence.
4. Data Subject Access Request
As GDPR recommends, among other rights, individuals or the data subjects have the right to request access to and obtain a copy of their personal data (referred to as “subject access requests” or “SARs”). Such rights can be exercised through a verbal or a written request, and the organisations must respond within one month.
The controllers are obliged to respond to the SARs, however the activity of the response itself may provoke certain risks and of course additional administrative work. Therefore it is important to have relevant procedures in place, encompassing all the actions of all professionals involved in the process of SARs to mitigate the risks and to have the administrative work assigned in advanced.
If we have to stress on the possible risks involved into dealing with SARs, it is possible for personal information to be given away to someone unauthorised to receive such kind of information. Thus, developing processes to identify the necessary level of information that must be presented in order to verify an individual’s identity before fulfilling the SAR will mitigate such risk. Further mitigation measures include conducting staff training, centralising the tasks of responding to SARs and developing template letters to respond to SARs consistently across the organisation.
5. Keeping up with the legal updates in relation to GDPR
GDPR is a revolutionary piece of legislation that aims to protect the personal data of the residents of the European Union. Following its good example, a number of similar laws are prepared or are in a draft form across the world, including Brazil, the United States (in the state of California) and India (whose law is still in draft form). Those laws are indeed inspired by the GDPR, but there are substantial differences, including different requirements.