Being a Data Protection Officer can at times be a lonely role. People liken the role to that of an internal auditor within a business. Under the GDPR it is required of the DPO to report directly to the highest management level. Data Protection Officers must have direct access to give advice to senior managers who are decision-makers in personal data processing. The role of a DPO is considered so important that there are additional protections from being laid off. That speaks volumes to the value of a DPO. Data Protection Officers carry big responsibilities and at times do need professional support. We provide this support with expertise and compassion in several different ways that we highlight below.
Are you prepared for an incident or data breach within your business? Are your staff trained to detect incidences or data breaches? How soon after an incident would you become aware? You should have a carefully thought out, tested, evaluated and corrected incident management process in place. Your DPO should have informed this process at all stages. Reporting to the supervisory authority needs to be an overarching consideration when developing this process.
A good incident management process should include the following five steps:
A thorough procedure would include building in notification requirements, identifying responsible and involved parties, internal and external, developing systems and documenting every step of the process. Testing and correction are paramount. We recommend a practice run in your business especially to see if you can meet the reporting requirements within the mandatory 72 hour time period. We can guide you in the development, testing and correction of your incident and breach management procedure.
Incidences and data breaches can be incredibly stressful times where a second pair of eyes and a level head is an invaluable asset. Should your Data Protection Officer require professional support during a time of incidence and data breach management, we are here to be that support from start to finish.
Subject Access Requests (SARs), also known as Data Subject Access Requests (DSARs), are simply written requests made by or on behalf of data subjects to determine whether processing is occurring of their personal data and to be given access to the personal data that is being processed by the business. These requests may cover additional information and there are other rights that a data subject may exercise under this process. Your business is likely to notice an increase in these types of requests now that the GDPR has simplified the process and removed barriers such as charging a fee to make the requests. Sets of rules around these requests and exercising of other rights can be quite complex to navigate through. All these requests should be channelled through your data protection officer and they should ultimately deal with them on behalf of your business.
Does your organisation have a clear and embedded procedure for handling requests from data subjects? Sometimes it is quite difficult to distinguish between a regular data query in the normal course of business and a data subject exercising their rights. Your staff need to be trained in a bespoke manner on this point within the context of your business. A good procedure for handing SARs would include:
Whilst fulfilling a SAR might be slightly less stressful than dealing with an incident, your DPO might require support all the same. What might seem to be a SAR might not be a SAR at all. Sometimes, it can be unclear as to what information should be returned in a SAR especially where other data subjects are included in the collection of information. Where data subjects are exercising other rights, your DPO might not have the technical knowledge or ability to deal with requests such as those to halt processing. Your DPO might need confirmation of their response to the data subject or actual assistance with putting the response together. Either way, we are here to support your DPO should they need the professional support.
Data Protection Impact Assessments and Legitimate Interest Assessments both require an element of legal reasoning and rights balancing. Your DPO might require a second opinion on their logic within, opinion during or outcome of the assessments. Our years of expertise will guide your DPO toward clarity and give them confidence in their final assessments of the DPIAs and LIAs documented for your business.
Data Protection Officers make use of software packages that fall into the Governance, Risk and Compliance family. These software packages assist with GDPR risk management and compliance. Choosing the correct solution from the plethora available on the market can be a difficult task. We can advise on fully compliant and tailored solutions for your data protection and privacy program, from understanding the minefield to troubleshooting and implementing a tailored data protection software management framework.