GDPR is Dead? Two Things You Need to Do to Ensure Accountability in Data Protection
With all the negative publicity around it, such as the threat of massive fines, you could be forgiven for fearing GDPR. But what’s the reality? Regulators are unlikely to levy crippling penalties against small businesses in most cases. It’s time to see GDPR in a new light.
Is GDPR a fire-breathing colossus out to destroy you? Or is it just a useful set of principles which will help you get your data protection in order? Hard though GDPR compliance may be, it has noble aims. Companies can no longer pay mere lip service to data protection, and this is a good thing!
When you begin creating a GDPR framework, you’re making positive steps towards compliance. This will work in your favour if you suffer a data breach. The first pillar of GDPR is accountability. There are two main elements of accountability, which we’ll look at now.
Part 1: Who is Responsible for Data Inside Your Organisation?
A Data Protection Officer (DPO) is a vital part of the GDPR framework for many companies. This person might be an employee or an outside contractor. The DPO is responsible for overseeing GDPR compliance but may perform other roles within a company provided no conflict of interest exists. It’s the responsibility of the DPO’s employer to ensure this is the case.
The appointment of a DPO is mandatory in instances where:
- Processing is being performed by a public authority or body, excluding courts acting in their judicial capacity.
- The controller or processor regularly and systematically monitors data subjects within the EU on a large scale.
- The core activities of the controller or processor involve large-scale processing of a) special data categories as outlined in Article 9 of GDPR or b) personal data linked to criminal convictions or offences as described in Article 10.
For the purposes of GDPR, “core activities” include any that are essential to the main aims of the company or organization. For example, the chief remit of a hospital is to provide high-quality healthcare, but it must process patient health data on a large scale to achieve this.
The term “large scale” is not explicitly defined under GDPR, but may be reasonably determined by factors such as number of data subjects, volume of data, duration of data processing and/or its geographical scope.
Not Hiring a DPO
There are instances where a controller may not be obliged to hire a DPO but where the processor contracted to store or analyse that controller’s data must have one. The opposite might also be true. It depends solely on who meets the criteria described above for mandatory designation.
In borderline cases where it is unclear whether or not an organisation needs a DPO, it’s a good idea to conduct an internal analysis before arriving at an answer. Documenting this process is all part of accountability under GDPR. Changes in activities or services provided should trigger an update of this analysis. This and other advice came originally from the former Article 29 Working Party on Data Protection.
If you run a company that has no need for a DPO, you can still appoint someone to oversee a GDPR compliance program. This way, you’ll avoid the extra burden of an official title while still holding yourself accountable and reaping the benefits of a GDPR framework. Among those possible benefits are building client trust and reducing the risk of costly data breaches.
It’s important that an unofficial GDPR overseer within a company is not labelled a DPO in any internal or external communications. Otherwise, he/she may find themselves subject to requirements under Articles 37 to 39 of GDPR. Semantics matter here, since a voluntary DPO is the same as a mandatory one in the eyes of regulators.
Part 2: What Kind of Data is Processed by Your Company?
The second element of accountability is simple enough in concept. Do you know what data your company processes? Do you know where it all is? One major hurdle to GDPR compliance is data sprawl, where companies have lost control of their data and allowed it to creep across multiple servers, computers, devices, clouds and even other companies without monitoring it.
To set up an accountable GDPR framework, you must start an ongoing process of data mapping. This begins with discovery: finding out where all data is being stored, classifying it and monitoring it. Data mapping tracks the movement of data, whether it travels between local departments and branches or to overseas offices, subsidiaries or affiliated companies.
A data map or data register records all other information that relates to a data set, too, including the legal basis for processing it, type of processing and retention periods. All the details a company needs to make sure it is legally processing data are accessible through data mapping.
Lighten the Load of Accountability
Nothing in GDPR is more important than accountability. It’s at the heart of compliance. To be accountable you must be proactive in protecting data. And being proactive is what regulators want you to be—it’s almost everything.
Whether you appoint an official DPO out of necessity, voluntarily or have an unofficial GDPR supervisor, PrivIQ software will lighten that person’s workload. It offers an easy-to-use data mapping tool and a host of other features to help with compliance and accountability.
PrivIQ can turn a full-time job into a part-time one, leaving responsible persons free to perform other tasks within a company. Why not use our software as the foundation of your data-protection framework and finally get a handle on GDPR? Start today!