Announcements
Planned Site Maintenance
Due to scheduled maintenance, account creation for new Community users will be unavailable 11 a.m. Eastern October 23, 2020 – October 24, 2020. We apologize for any inconvenience.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Community Champion

Re: Your Top 5? - GDPR

Agreed, we know the velocity of the decisions in the EU, and Germany in particular is pretty good example of how strong it could be with their Federal Data Protection Act:

 

https://iapp.org/media/pdf/resource_center/Eng-trans-Germany-DPL.pdf

 

For a great round-up of the pre-existing(non-GDPR) case law I recommend taking a look at this:

 

https://ec.europa.eu/anti-fraud/sites/antifraud/files/caselaw_2001_2015_en.pdf  

Highlighted
Newcomer III

Re: Your Top 5? - GDPR

While you have mentioned Germany, it helps to remind me of another regulator's decision on Data Protection Officer (DPO) aligning with Article 37, 38 and 39 under the GDPR during late 2016 while referencing the FDPA:

 

https://blogs.orrick.com/trustanchor/2016/12/01/data-protection-officer-and-it-manager-two-jobs-that...

Highlighted
Community Champion

Re: Your Top 5? - GDPR

Totally, that's a no brainer on a conflict of interest, plus a IT Manager does not reach anywhere high enough in the organisation. From the link you referenced:

 

V.        Recommendation

Companies required to appoint a DPO are thus well advised to carefully consider candidates that are free from conflicts of interest. While it does not appear necessary to preclude a DPO from having other corporate functions, the designated individual should not be in charge of, or have a personal stake in, significant decision-making relating to IT. One potential solution may be to “firewall” DPOs from such decision-making processes. Suffice it to say that this aspect of GDPR/BDSG compliance will be scrutinized heavily by German (and likely other) data protection authorities in the coming months and years.

 

DPOs advise this separation, so this is good advice.

 

There is also a school of thought I've come across that says don't call your DPO a DPO, unless you are mandated to have one under GDPR or other frameworks as there might be a heavier burden of expectation. Not the best reason IMHO, but this was from some lawyers.

Highlighted
Newcomer III

Re: Your Top 5? - GDPR

You have rightfully pointed out, Early_Adopter, "...  don't call your DPO a DPO, unless you are mandated to have one under GDPR or other frameworks as there might be a heavier burden of expectation...". The role is a compliance role rather than a risk management function. An IT Manager is more of a risk management or operation role and does not have a legal mandate like the DPO has under GDPR. It creates conflict of interest due to its operative nature as demonstrated in the German authority's opinion.

 

While you will find others like Singapore embedded DPO in its data protection regulatory rules back in 2014 and not as loudly as GDPR demands, Hong Kong continues advocating the role as a best practice and South Korea as well as Philippines have revised their regulations to accommodate the data protection role legally without mentioning DPO directly.

 

With GDPR being so descriptive and likely to set a 'gold' standard for the role, we will find these is likely to create a norm or increase expectations for the regulatory environment across the globe in years to come.

Highlighted
Newcomer II

Re: Your Top 5? - GDPR

Other than outlaw.com:

 

https://www.out-law.com/

 

.... Does anyone know of any legal/media sites that are centralising and tracking privacy-related items and court cases?

 

('The Register' tracks security news items but it can be quite partisan.)

Highlighted
Newcomer II

Re: Your Top 5? - GDPR

Definitely - and there's always the possibility that the organisation 'waiting and seeing' could be the subject of a regulatory investigation or court case itself, privacy data breaches being the far-reaching and sometimes unpredictable things they are.

 

Highlighted
Community Champion

Re: Your Top 5? - GDPR

IAPP has some good jumping off points:

 

https://iapp.org

 

 

Highlighted
Newcomer I

Re: Your Top 5? - GDPR

1. Make it cross-department effort, it is not just IT, just Legal, etc.  Include Legal, IT, InfoSec, Compliance, perhaps Risk

2. Understand the data-flows and contracts in place - map the data-flows, review the contracts and consent for processing data.

3. Create a process for Privacy Risk Assessment and integrate it into the System Acquisition and Deployment, and Vendor Management processes

4. Implement Records Management practice that will enable the organisation to discover data based on an individual's names or unique identifier.

5. Deploy Threat Detection and Response capability to detect and respond to breaches if they occur

 

And below are the 5 stages I saw recently  in a presentation:

 

DLXd6B5WkAAXnTX.jpg

Highlighted
Newcomer III

Re: Your Top 5? - GDPR

While I am unsure of a website that offers a centralised view about privacy tracking or court cases, I find this article quite useful if you  like to know the data protection or privacy enforcement actions taken across the globe, not just EU:

 

https://www.lexology.com/library/detail.aspx?g=4ba24232-056e-4a6a-8e4a-1d76a0300105&utm_source=lexol...

  

Highlighted
Newcomer I

Re: Your Top 5? - GDPR

My number 6 would be don't be taken in by the snakeoil salesmen punting GDPR certification 🙂