A DPO’s-Eye Vew of GDPR
One of the first things people tend to ask when making introductions is "What do you do for a living?". When I’m chatting to someone in a bar or at a dinner party and this question comes up, I reply that, as well as being a finance director, I’m a data protection officer (DPO). Then I wait a beat for the look of puzzlement and the inevitable polite question about what the latter even means.
I normally limit myself to the briefest of descriptions before anyone’s eyes glaze over. However, I’ve noticed in recent weeks that everyone wants to talk to me about GDPR – in the last month, I’ve had my brains picked on the topic by my barber, my optician, friends in other companies, and even people at my kids’ school. So I started making a note of some of the most commonly asked questions, as well as my responses, to address the ongoing confusion and frantic, last-minute scramble to compliance.
What does a DPO actually do?
As DPO, I report to our CEO and wear the multiple hats of compliance officer, privacy expert, and facilitator (as well as my finance director hat). Effectively, I’m the first point of contact for all things data protection in my workplace. You don’t need a law degree, but you must have a thorough grasp of national and European data protection law, and know your stuff when it comes to IT and data security. I monitor our compliance and make sure my colleagues who carry out data processing understand their obligations under GDPR. I might be asked for advice relating to a data protection impact assessment, which means identifying privacy and security risks and proposing ways to mitigate them. And I have to balance maintaining a good rapport with data controllers and processors across our business with the needs of supervisory authorities, which demands a healthy level of professional detachment and good communication skills.
If, like me, you’re acting as DPO on top of your day job, you do need to make sure there’s no conflict of interests between the two roles. If there’s nobody in your business with the unique skillset to take on the mantle of privacy professional, “DPO as a Service” is becoming a thing, to avoid the challenges of resourcing a full-time position internally.
Does my business need a DPO?
If your organisation processes personal data (anything – from names, addresses, and photos to biometric data – that can uniquely identify someone as an individual) and is either based in the EU or offers goods or services to EU residents, you need a DPO. If you process “special categories” of personal data, like ethnicity, political opinions, health data, or records of criminal convictions and offences, then it’s a firm "yes". If your company’s core activities involve regular and systematic monitoring of individuals on a large scale, such as online behaviour tracking, you must appoint a DPO. Quite what “large scale” means, however, is somewhat fuzzy. It’s worth noting that GDPR is a principle-based regulation, rather than a rule-based regulation, so the type of decisions I face often fall into grey areas and have to be taken in context, rather than boiled down to simple binary answers. However, you can voluntarily appoint a DPO even if you’re not legally obliged to do so: if in doubt, it’s better to err on the side of caution.
I’m a small business owner. Am I exempt from GDPR?
During the early drafting of the GDPR, there were murmurings that SMEs with fewer than 250 employees might not qualify as “large scale”, but this ambiguity was decisively quashed by the Information Commissioner’s Office last year. Myth busted, I’m afraid.
Will GDPR affect our B2B marketing activities?
GDPR only applies to data relating to individuals, not businesses. However, there is still some ambiguity over whether a business e-mail address counts as personal data. Let’s dispel that: if a name is included in the body of a company e-mail address, no matter how it’s formatted, it can be used to identify an individual, so must be processed in compliance with GDPR. Consent-based marketing has been codified under GDPR, so you’ll need a separate, individual, and granular opt-in process (pre-ticked opt-in boxes will become expressly unlawful) and you must enable consent to be withdrawn. The principle of “legitimate interest” should apply to most ethical B2B marketers, i.e., as long as your data processing doesn’t infringe on an individual’s rights and freedoms (it won’t land them in trouble or negatively affect them) and you can prove the data subject has a legitimate interest in what you’re marketing, you can collect and process their data. For example, if your business sells HR software, you can collect and manage data relating to HR managers based on their job function and seniority, whereas inconsiderately sending marketing e-mails to a bought-in list of Gmail or Yahoo! addresses would likely be in breach of legitimate interest.
Have I left it too late to do something about GDPR?
It’s never too late to start examining the scope of your data processing and put your house in order. My hunch is that the regulators will prioritise shining the spotlight on those businesses that collect customer or employee data and plan to do something with it for commercial gain – particularly if that purpose isn’t made abundantly clear to those customers or employees. But even if you’re unlikely to face auditors’ scrutiny, you should still review your current collection and management practices with personal data, particularly if you monetise it in some way – you owe it to your customers who put their trust in your business. For example, you might consider adopting techniques like pseudonymisation, which separates data from direct identifiers, so you can still benefit from collecting and analysing personal data while safeguarding your customers’ privacy.
How can I persuade my company to see GDPR in a positive light?
In the aftermath of the Facebook and Cambridge Analytica imbroglio, it’s clear that as citizens, we need more control over our personal data. GDPR actually aims to simplify the regulatory environment for businesses, with reforms designed for the way we live today in the Internet-enabled age, when practically every aspect of life revolves around data. After all, nobody wants their personal information lost, stolen, or otherwise finding its way into the hands of people who aren’t intended to see it. You’ll find it easier to get buy-in from senior stakeholders by positioning GDPR (quite rightly) as a business improvement or customer experience initiative rather than a compliance journey.
Won’t GDPR just go away after Brexit?
I’m no clairvoyant, so the post-Brexit landscape is still as much of a mystery to me as anyone. However, by the time the Brexit deadline rolls around (on 31st March 2019), the GDPR will have been in force for ten months, so I can’t see the clock being turned back on accountability. Last year, the UK government proposed the transfer of GDPR into UK law after we leave the EU, so I’d put my money on UK citizens ultimately retaining the right to access and correct personal data, and request its deletion. Lastly, it’s worth bearing in mind that GDPR is an evolution, not a revolution, so if your business is already meeting current data protection regulations, you’re already well on your way to GDPR compliance.
There are numerous sources of professional expertise, resources and tools to support you on the last mile of the journey, such as Information Builders’ GDPR Accelerator and bespoke assessments to help you identify any gaps in your current practices.