Data Privacy Week 2023: 5 Ways to Support Your DPO all Year Round
In the 1960s, privacy pioneer Dr. Alan Westin defined the concept of data privacy as:
…the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.
By the 1990s, much of the world had adopted this definition, and Westin is considered as the father of modern privacy legislation. However, the scope of the data requiring protection has changed beyond recognition since that time.
Why Has Data Changed?
Several factors have influenced the changes in the data environment, including:
Massive Increases in Data Volumes
The volume of digital data stored globally is doubling every 2 years. By 2019, 45 trillion GB of data existed worldwide, with 1GB equating to approximately 60,000 pages of email. In the last decade, companies have invested around $5 trillion in data storage alone. Digitization means that 98% of data is never put into paper format. Digital data storage and retention is hugely expensive.
Rapid Technological Innovation
This has made data privacy increasingly complicated. Basically, governments struggle to understand fast-paced developments in technology and legislate accordingly. For example, the Metaverse interacts with HIPAA requirements, given the existence of telemedicine. AI and machine learning may create a whole further set of data privacy challenges.
A Complex, Stringent Regulatory Landscape
For example, the EU General Data Protection Regulation (GDPR), enacted in 2018, requires compliance from all organizations handling the personal data of EU data subjects. Hefty penalties, often highly publicized, are imposed for noncompliance. The US has no uniform equivalent to the GDPR and has traditionally relied on a patchwork of industry-specific regulations designed to protect consumers. However, many US states are now enacting data privacy legislation that resembles the GDPR. For example, California, Connecticut, Utah, and Virginia are enforcing legislation in 2023, while Michigan, Ohio, and Pennsylvania did so in 2022. In due time, other states have indicated that they will follow suit.
Data Privacy as a Human Rights Issue
In the EU, data privacy is approached from a human rights perspective, while consumer protection has been the main approach in the US. New regulatory frameworks are now coming into play across the US and globally that take the same stringent, rights-based approach to protecting data subjects as the EU takes with the GDPR. This extends to the MENA region, with Saudi Arabia and UAE just two examples of countries that have brought in a Personal Data Protection Law (PDPL) in recent years.
Why Do I Need a Data Protection Officer?
All organizations that process data related to individuals residing within the EU must comply with the GDPR. In summary, the main stated goals of the GDPR regulation include:
- Protecting EU citizens’ personal data.
- Providing control to individuals (data subjects) over their data.
- Streamlining data collection and processing activities.
A DPO, or Data Protection Officer, is a mandatory role defined in the GDPR. Under the GDPR, organizations must appoint a DPO if they fall into any of the following categories:
- They are a public authority or body.
- Their central activity involves processing large-scale volumes of personal data, requiring proper, systematic monitoring.
- Their central activity involves processing large-scale volumes of data within special categories.
If you fall into any of these categories and fail to appoint a DPO, you can face penalties of up to €10 million, or 2% of your annual turnover. Occasionally, these huge fines make headlines and can cause much reputational damage to an organization. For example, in 2021, Amazon was fined $887 million (the largest GDPR fine ever) and WhatsApp was fined $227 million for breaches of the GDPR. Meta kicked off 2023 with a $400 million fine from the Irish Data Protection Commissioner in relation to ad targeting and data handling practices that were judged to be in breach of the GDPR. In the longer term, hiring a qualified DPO can result in substantial long-term savings for businesses.
What Exactly Does a DPO Do?
A DPO monitors compliance, provides information and advice, coordinates with the supervisory authority, and serves as a privacy consultant. In our current regulatory landscape, it’s no longer enough to have a Chief Information Security Officer (CISO) to oversee the technical aspects of data security. Unquestionably, DPOs (sometimes called Chief Data Officers) are also necessary to take the lead on data governance and strategy. Basically, DPOs advocate for the customer whose data is being processed.
A DPO acts like a regulator within your organization. In order to fulfill their roles effectively, DPOs must be entirely free from conflicts of interest. This means that they cannot:
- Hold any post that would result in them determining how data is processed within the organization employing them.
- Report to the Chief Privacy Officer or CISO, or to anyone within a business division responsible for processing personal data.
A DPO can, however, report to a C-suite executive or to the Board of the organization that employs them. However, an employer cannot instruct their DPO on any aspect of how to investigate a complaint, the desired result of an investigation, or whether or not to consult the Supervisory Authority. The GDPR also prohibits employers from encouraging their DPO to follow any specific interpretation of data protection law. Additionally, an employer cannot fire a DPO for making an unfavorable decision.
While the concept of an independent DPO with no conflicts of interest is relatively new to the US, it has existed in Europe for quite some time. Although the role of DPO is specific to the GDPR, it is increasingly relevant across the world, with legislation similar to the GDPR increasingly coming into effect.
What are My Responsibilities as a Business?
If you are an enterprise, you are ultimately responsible for compliance under the GDPR, not your DPO. Furthermore, you must provide your DPO with certain supports. These supports include:
- Active support from senior management
- Access to relevant stakeholders
- Sufficient time to fulfill duties
- Adequate financial and infrastructure resources
- Official communication about the DPO appointment to all employees
- Continuous training
- A team, if the size and structure of your organization merits one
Additionally, you must publish the contact details for your DPO and provide these details to the relevant regulatory authorities. In fact, appointing a DPO with a conflict of interest can result in a €10 million fine or a fine of 2% of the company’s annual global turnover (whichever is greater).
Five Ways to Support Your DPO
In truth, any effective action you take to support your DPO can only result in a win for the well-being of your organization. Compliance with data protection and privacy regulation is not only the ethical option. In the long run, it is also great for your organization’s reputation and financial welfare.
1. Build a Strong Organizational Culture Around Data Privacy
Provide comprehensive data privacy training as an inherent part of your employee on-boarding process, as well as ongoing refresher training. The massive transition to work-from-home in 2020, and subsequently to hybrid working models, was accompanied by the migration of huge amounts of data to the cloud. Obviously, the need to cultivate a robust employee awareness of security and privacy concerns is more vital than ever before.
3. Review Vendor Contracts and Update in Line with Any New Legislation
Vendors processing data on your behalf must comply with any new data privacy legislation. Accordingly, it’s vital to ensure that vendor contracts reflect any new obligations.
4. Adopt Robust Data Governance and Internal Protocols
Use strategies such as predetermined workflows, digital rights management, and data retention policies to ensure your data life cycle is compliant with the regulatory requirements for your industry.
5. Use a File-Sharing Tool with Built-in Data Privacy Compliance
There are various tools available on the market that enable compliance with data privacy regulations. FileCloud’s hyper-secure file-sharing platform, for example, with its fully integrated compliance and security features, is one of the most robust. With FileCloud’s user-friendly Compliance Center, you can easily organize your data compliance rules and parallel security features. Additionally, you can adjust configuration settings without the use of complicated code, save and share event logs with relevant personnel, and explore data privacy best practices.
How FileCloud Can Help Meet Complex Regulatory Demands
To find out more about how FileCloud can help with your GDPR and other compliance needs, check out our YouTube webinar How FileCloud’s Compliance Center can help you meet GDPR compliance.
You can start a free trial of FileCloud at any time to see for yourself. In fact, you can sign up any time for a 15-day trial for FileCloud Online. If you wish to try out FileCloud on your own infrastructure, you can have a 30-day free trial of FileCloud Server.
Baker Donaldson. (Producer). (2022). Privacy and Data Protection for the New Year [Video].
Banker Donaldson. (Producer). (2022). Ethical Issues in Defensible Disposition [Video].
Farber, D. (Producer). (2018). Everything you Need to Know about The Data Protection Officer Role [Video].
World Bank Group. (Producer). (2022). Data Privacy Day 2022 | Roundtable with Global Data Protection Authorities [Video].
Written by Deirdre Clancy, Technical Content and Communication Manager