GDPR and the important role of a Data Protection Officer
Before the introduction and enforcement of the General Data Protection Regulation (GDPR) back in May 2018, several organizations have been left exposed to risks that emerged from inadequate data protection and cybersecurity controls. Regardless of the organization type and size, data are being collected, processed, and stored without the appropriate controls in place. As a result of this, there is a high likelihood of data breaches and leakages with direct and severe consequences (i.e., reputational damage and harsh penalties) to data controllers. Nowadays, to address and minimize this likelihood, organizations must comply with the GDRP, a legislation designed based on privacy principles used to address privacy and cybersecurity requirements. Based on the core processing activities that organizations have to achieve their goals, and if those core activities are processing a large amount of personal data that are not proportionate based on the rights of the data subjects, organizations should appoint a Data Protection Officer (DPO).
Depending on the organization's type and size and the obligations towards GDPR compliance, DPO's could be appointed either internally (recruitment or dual-hat) or externally (DPO-as-a-Service / DPO Support services). Despite which option will be chosen, the DPO must have in-depth knowledge not only on GDPR's legal matters but also in domains such as Cybersecurity, along with the scope, context, and purpose of each processing activity of the organization. Some of the primary responsibilities that a DPO has, are:
- working towards the compliance of the organization with the GDPR and be aware of any changes in the data protection laws
- monitoring organization's data processing activities changes and initiate DPIA (Data Protection Impact Assessments) where is applicable
- collaborate with supervisory authorities
- promote data protection and cybersecurity training to promote and establish an awareness and education program to organisation's employees
- finally, DPO's must not be dismissed upon fulfilment of his/her task, as this position operates based on a constant monitoring function where any issues related to protecting personal data must be addressed in a timely and appropriate manner.
The challenges that DPOs and organizations are facing three years later
Such challenges start with the implementation of the GDPR as it is a colossal task itself to be fulfilled as raw data are scattered all over the organization's systems/divisions, making it extremely difficult to trace, access, update, share, and organize. In addition, by having limited and non-expert personnel assigned to this task, the challenge is exaggerated as to follow GDPR guidelines requires a dedicated team to be fully trained in order to carry out the implementation of the GDPR correctly. Furthermore, the lack of collaboration with other Departments/Organisational Units/Process owners adds an additional difficulty since DPOs cannot know where data reside, who is accessing them, how they are being used, and who is responsible for them. Therefore, any attempts to identify which data are being used as a part of their predefined purposes is extremely difficult to be determined. As a result of all those challenges, the lack of appropriate tools to manage data protection and privacy, DPO's won't be able to find a methodological approach to overcome compliance issues and provide efficient workflows by leveraging automated capabilities deployed across the organization.
Overcoming today's challenges via Digitalizing Privacy and Cybersecurity compliance
To timely identify and prioritize the organization's processing activities, an effective organizational structure must exist to ensure that all above challenges will be addressed sufficiently. To do so, most organizations and their DPOs are using spreadsheets to keep track of the privacy tasks (i.e., record of processing activities, data subject requests etc.) that take place within the organization. However, this approach possesses numerous challenges, such as the lack of meaningful results used to make vital and effective decisions, the lack of structured complex data and processes, and the absence of appropriate safeguards to monitor and control the recorded processing activities.
At Grant Thornton Cyprus, we overcome these challenges by using the Enactia SaaS platform (www.enactia.com) both internally but also for supporting our clients. Enactia is a cloud-based platform designed for Governance, Risk and Compliance (GRC), focusing on Cybersecurity and Data Protection. Enactia enables an organization to monitor its compliance towards various
At Grant Thornton Cyprus, we overcome these challenges by using the Enactia SaaS platform (www.enactia.com) both internally but also for supporting our clients. Enactia is a cloud-based platform designed for Governance, Risk and Compliance (GRC), focusing on Cybersecurity and Data Protection. Enactia enables an organization to monitor its compliance towards various legislations and frameworks such as GDPR, CCPA, PDPL, ISO27001 / ISO27701, NIST and many more. This platform comprises various interconnected modules that can adapt to business requirements and effectively deployed with complex processes. These modules can meet the requirements of GDPR such as Record of Processing Activities and Asset Register, Data subject Requests Management, Data Breach Registry and Reporting, Compliance Assessment, Ticketing Management, Risk Management, Vendor and Third-Party Management. In the case of GDPR, Enactia can assist the DPO in collecting the required information for fulfilling privacy-related tasks by using specific operations and functions to collaborate effectively with other organizational departments and employees.
All in all, with the digitalization era and the power of data, it is each organization's responsibility to take predictive, preventive, and mitigative measures towards data management and establish efficient and effective approaches. By complying with the regulatory requirements, organizations can set the groundwork for successful data governance while will ensure the quality, integrity, and security of their data and allow organizations to get the most benefits from their valuable assets.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.