Data Protection
Data Protection Officer
The Data Protection Officer (DPO) is a new leadership role created with the implementation of the General Data Protection Regulation (GDPR).
Why a DPO ?
When it comes to compliance and regulations for the protection of personal data, the data protection officer is one of the most important roles within the company. What’s more, the data protection officer (DPO) role is only gaining more traction, given the increasing regulations for data privacy.
In addition to facilitating compliance through accountability tools- like data protection impact assessments (DPIA) and carrying out audits, DPO acts as an intermediary between relevant stakeholders.
DPO also oversees the data privacy and data protection policies to ensure the operationalization of those policies through all organizational units and makes sure the organization processes personal data in a compliant way.
Data Protection Roles
Data subject
The data subject is the person whose data is being processed. This means that whenever you provide your personal data to a company, you become the data subject in relation to that company. As a data subject, you have basic rights, including the right to be informed about what data is being processed and why, the right to object to data processing and the right to have your data deleted.
Data Controller
The next role within the GDPR is that of the data controller. The data controller is the person, company or authority that decides the purposes for which the data is processed. The data controller is responsible for the data processing, and the GDPR regulates the responsibilities and requirements related to the data controller.
Data Processor and Subprocessor
The data processor processes the data on behalf of the data controller. This is the case, for example, when a transport company delivers products to customers on behalf of the company that sells the products.The difference between the data controller and the data processor is that the data processor does not control or decide the purposes for which the data are processed.
Data Protection Authorities and Data Protection Officers
In order to ensure compliance with the GDPR and to provide guidance on how to comply with the Regulation, each country in the EU/EEA has its own state data protection authority;
A Data Protection Officer, also referred to as a DPO, is a role within a company or organization whose responsibility is to ensure that their organisation processes personal data in compliance with the GDPR and the national data protection regulations.
Data Controller's Responsibilities
The data controller’s responsibilities
The data controller is the person, company or authority who decides on the purposes for which the data is being processed. The data controller is responsible for the data processing regarding the data protection authorities, and the data subjects.
Third Parties . Data Processing Agreement – DPA
If the data controller hires third parties for processing the data, the data controller must enter into a written agreement with the data processor.
No matter if the data is processed by the data controller itself, or by a data processor, the data controller must decide on the scope and purpose of processing, including:
- Deletion routines
That is how long the data will be stored - Legal basis for processing
Deciding whether the candidates, onboardees, or employees must consent to the use of their data, or if it’s enough to inform them about it - Information to data subjects
That is information regarding privacy policies within the systems
The data controller must report data breaches
A data breach refers to a situation where personal data is accessed, lost or destroyed, either by mistake or as a result of theft or other fraudulent activity.
This includes:
- You forget your work computer full of information about your employer, the business, colleagues and customers on the subway
- A thief breaks into the office and steals company information
- You accidently send an email to the wrong person
- A hacker attacks vulnerability in your data security and accesses the personal data of your candidates, onboardees, and employees.
Data breaches that entail a risk for the data subjects must be reported by the data controller to the data protection authorities within 72 hours.
Data Protection Officer Responsibilities
The Data Protection Officier responsibilities
DPO tasks and responsibilities include tasks associated with data privacy, such as:
- Inform and advise the company (Data controller or Data processor) and employees how to be GDPR compliant and how to comply with other data protection laws
- Manage internal policies and make sure the company is following them through
- Raise awareness and provide staff training for any employees involved with processing activities
- Provide advice regarding the data protection impact assessment and monitor its performance
- Give advice and recommendations to the company about the interpretation or application of the data protection rules
- Handle complaints or requests by the institutions, the data controller, data subjects, or introduce improvements on their own initiative
- Report any failure to comply with the GDPR or applicable data protection rules
- Monitor compliance with GDPR or other data protection law
- Identify and evaluate the company’s data processing activities
- Cooperate with the supervisory authority
We all have a Responsibility
We all have a responsibility
We all have a responsibility to protect and safeguard personal data, and to inform and report when personal data may be mishandled. Therefore, if you encounter a situation where you think data has been wrongfully accessed, altered, lost or deleted, you should always follow internal policies, and inform your data protection point of contact. This is critical in order to fulfil obligations towards data subjects, and to be a safe, professional and successful organization.