Data privacy and security expert, Debra Farber, presents on the emerging role of the Data Protection Officer (DPO). When the EU's General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018, companies around the world who process the personal data of EU residents will be required by law to appoint an independent DPO who has specific responsibilities and data protection knowledge.
Everything You Need to Know About Data Protection Officers (DPOs
1. The Data Protection Officer (DPO):
Everything You Need to Know
Debra J. Farber, JD, CISSP-ISSMP, CIPP/US/E/IT/G, CIPM, FIP
U.S. Chief Privacy Officer, CRANIUM
2. Who am I?
• Consultant and non-practicing lawyer;
• 14 years experience operationalizing privacy and security;
• Executive Consultant & CPO at CRANIUM;
• Advisor to BigID;
• IEEE Personal Data Privacy Working Group;
• IAPP CIPT Exam Development Advisory Board;
• Sr. Director, Global Public Policy (Security & Privacy) at Visa;
- Member of the Advancing Cyber Resilience Working Group at
The World Economic Forum (WEF);
• Co-Founder of Women in Security & Privacy (WISP);
• Sr. Privacy Consultant & Product Manager at TrustArc;
• CEO & Principal at Farber Strategies Inc.;
- Executive Faculty at IANS;
- Professional Privacy Faculty Member at the IAPP;
• Director Product & Platform Privacy at Numera;
• Chief Privacy Officer at The Advisory Board Company;
• Managing Consultant (Privacy & Security) at IBM Global Services;
• Sr. Manager, Privacy & Policy at Revolution Health;
• Manager, Online Privacy at American Express
@privacyguru
3. Agenda
• The EU’s GDPR in 60 seconds
• When does an organization need to hire, appoint, or contract with a DPO?
• To whom should the DPO report to remain “independent” & avoid a conflict of
interest?
• Who can serve in the DPO role?
• What are the DPO’s responsibilities?
• Alphabet Soup: CPO vs. DPO vs. CISO
• The war for talent & how companies are staffing the DPO role
• Questions?
3
6. When does an organization need to hire, appoint,
or contract with a DPO?
7. The GDPR states that appointing a DPO is
mandatory to facilitate compliance with
the GDPR in the following 3 specific cases:
• You are a Public Authority or Body, or acting
as one;
• Your core activity consists of processing
personal data “on a large scale,” which
requires “regular & systematic monitoring;”
or
• Your core activity consists of processing “on
“a large scale special categories of data.”
You may still choose to appoint a DPO even when
the GDPR does not require it.
8.
9. 9
What Percentage of Your Software
Vulnerabilities have GDPR Implications?
DOWNLOAD THE FREE E-BOOK
We talked with LocalTapiola, a Finnish financial
services company, about their efforts to prepare for
GDPR and did our own analysis showed that
25% of bugs on HackerOne have GDPR implications
GDPR Article 33 states that data breaches must be disclosed to the organization’s supervisory authority “without
undue delay and, where feasible, not later than 72 hours after having become aware of it.” It’s not uncommon these
days for organizations to require weeks or months to remedy a vulnerability.
Our advice regarding GDPR has always been to find and fix vulnerabilities before they can be exploited. There’s no
disclosure requirement for bugs, only for breaches, and running a bug bounty program is a great way to identify
vulnerabilities before the bad guys do.
10. To whom should the DPO report to remain
“independent” & avoid a conflict of interest?
11. The DPO must be “independent”?
A DPO cannot hold a position within the organization that leads them to determine the “purposes and the
means of the processing” of personal data or that otherwise creates a conflict.
Data controllers or processors should:
• Identify positions which would be incompatible with the DPO function;
• Draw up internal rules to avoid “conflicts of interests;”
• Formally declare via internal & external comms & in policy documentation that the DPO has no conflict of interests with regard to
function as a DPO, as a way of raising awareness of this requirement;
• Include safeguards within the organization’s internal rules and ensure that the publicly-posted DPO job description or the services
contract for an External DPO is sufficiently precise and detailed in order to avoid a conflict of interests.
More likely an independent reporting line: More likely a conflict of interest reporting line:
- Chief Compliance Officer; - Chief Privacy Officer;
- Audit team; - Chief Information Security Officer;
- Report directly to the CEO, COO, Board, etc.; - Chief Information Officer;
- External contractor (i.e., outside consultant or counsel) - Business Line reporting: i.e., Marketing, HR, Product, etc.;
reporting to a C-level officer or the Board; - Reporting up to other business executives who determines the
- Other reporting line without conflicts purpose & means of processing
12. Obligations to support your independent DPO
Your org is ultimately responsible for GDPR compliance & must be able to demonstrate that
compliance, not the DPO.
The Article 29 Working Party called out the following activities as necessary for an org to properly support its DPO:
• Active support of the DPO by senior management – i.e., Board-level, C-level;
• Sufficient time to fulfill their duties;
• Financial, infrastructure and staff resources;
• Official communication of the DPO appointment to all employees;
• Access to stakeholders such as HR, Legal, IT, Security etc.;
• Continuous training; and
• A DPO team depending on the size and structure of the organization;
The DPO’s employer may NOT:
• Instruct the DPO on how to deal with a matter, what result should be achieved, how to investigate a complaint, or whether to
consult the Supervisory Authority (“SA”); or
• Instruct the DPO to take a certain view of an issue related to data protection law or follow a particular legal interpretation.
14. The GDPR does not specify the precise credentials a DPO is
expected to have. However, the WP29 defines certain minimum
requirements regarding the DPO’s expertise & skills:
• Level of Expertise: It is essential that the DPO understand
how to build, implement, & manage data protection
programs. The more complex or high-risk the data
processing activities are, the greater the expertise the
DPO will need.
• Professional Qualities: DPOs need not be lawyers, but
they must have expertise in member state and European
data protection law, including an in-depth knowledge of
the GDPR. DPOs must also have a reasonable
understanding of the organization's technical and
organizational structure and be familiar with information
technologies and data security.
• In the case of a public authority or body, the DPO should
have sound knowledge of its administrative rules &
procedures.
16. •Collect information to identify and analyze processing activities;
•Analyze and check the compliance of processing activities
•Conduct audits to ensure GDPR compliance & address potential issues
Monitor
Compliance
•Inform, advise, & issue recommendation on data handling to the
controller or processor – e.g., based on DPIAs
•Educate company / employees on GDPR obligations & other data
protection requirements; and train data handling staff
Inform &
Advise
•Cooperate with the Supervisory Authorities (“SA”) & make the
organization’s records available on request
•Proactively report issues with data processing, such as data breaches
Coordinate
with the SA
•Serve as single point of contact for data subjects inquiries
•Provide information on data subjects’ rights related to the org’s data
protection practices, withdrawal of consent, the right to be forgotten, &
other rights
Serve as
Privacy
Contact
According to the GDPR, the DPO must perform the following tasks:
17. •Effectively communicate to personnel, the appointment of the DPO and his or her functions;
•Ensure the DPO has significant independence in the performance of his or her role;
•Ensure a direct reporting line “to the highest management level” of the company;
•Involve the DPO at earliest stage possible in all issues relating to privacy & data protection;
•Invite the DPO to participate in senior management meetings to represent privacy & data protection interests.
Effective
Governance
•Provide sufficient time & resources (financial, infrastructure, equipment, training, & staff) necessary for the DPO
to keep up-to-date with data privacy & security developments and to carry out tasks effectively & efficiently.
Resources
& Training
•Provide appropriate access to personal data that the organization processes, including access to the systems;
•Promptly consult the DPO in the event of a personal data breach or security incident;
•The DPO’s opinion must be given due weight. Should the business choose not to follow the advice of the DPO,
the business should document the reasons for such decision.
Appropriate
Access
•DPOs may perform other tasks and duties provided they do not create conflicts of interest (e.g., training the
Board, executives, & employees);
•Job security: the GDPR expressly prevents dismissal or penalty of the data protection officer for performance of
her tasks and places no limitation on the length of this tenure.
Other
Functions
Orgs have GDPR obligations to support the DPO:
18. DPO Job Description (example)
Expertise and Professional Qualities
• Expertise in national & European data protection laws and practices and an in-depth
understanding of the GDPR;
• Years of experience in data protection program management commensurate with
the sensitivity, complexity, & amount of data the employer processes;
• Integrity & high professional ethics;
• Can handle info & business affairs w/ secrecy & confidentially as appropriate;
• Demonstrated leadership & project management experience;
• Ability to communicate effectively with the highest levels of management &
decision-making within the organization;
• Familiarity with privacy and security risk assessment and best practices, privacy
certifications/seals, and information security standards certifications;
• Sound understanding of and familiarity with information technology programming &
infrastructure, and information security practices and audits;
• Ability to communicate effectively with data subjects, data protection authorities, &
other controllers and processors across national boundaries and cultures;
• Adequate self-awareness & confidence to acknowledge knowledge gaps and seek to
fill them from reliable sources;
• Knowledge of the business sector & of the employer’s organization;
• Sufficient understanding of the processing operations carried out, as well as the
information systems, and data security and data protection needs of the employer;
• In the case of a public authority or body, the DPO should also have a sound
knowledge of the administrative rules and procedures of the organization.
DPO Tasks
• Inform, advise, & issue recommendations regarding GDPR compliance;
• Foster a culture of data protection within the org & help to implement essential
elements of the GDPR, such as the principles of data processing, data subjects’
rights, data protection by design & by default, records of processing activities,
security of processing, & notification and communication of data breaches
• Advise the controller/processor regarding:
• Whether or not to carry out a data protection impact assessment (“DPIA”),
• What methodology to follow when carrying out a DPIA,
• Whether to carry out the DPIA in-house or outsource it,
• What safeguards (including technical and organizational measures) to
apply to mitigate any risks to the rights and interests of the data subjects,
• Whether or not the DPIA has been correctly carried out and whether its
conclusions (whether or not to go ahead with the processing and what
safeguards to apply) are in compliance with the GDPR;
• Maintain the record of processing operations under the responsibility of the
controller as one of the tools enabling compliance monitoring, informing and
advising the controller or the processor;
• Document all decisions taken consistent with and contrary to DPO’s advice;
• Offer consultation once a data breach or other incident has occurred.
• Ability to fulfill tasks
• Adequate and regular ongoing training;
• Self-starter and ability to act independently
20. Responsible for setting and implementing
global data handling policies & rules, and
advising the business on the ways and
means of processing
Responsible for putting in place data
protection by design and default;
complete DPIAs where processing of
personal data poses a “high-risk”
Responsible for GDPR documentation: e.g.
records of processing; subject access
requests;
Responsible for implementing processes
into the business that respect the rights of
the data subject (e.g., rights to access,
rectification, portability, erasure, etc.)
Responsible for securing global
corporate infrastructure,
applications, IP, & personal data
Support CPO by answering security
questions
Responsible for implementation of
appropriate technical &
organizational measures to ensure a
level of security appropriate to risk
Responsible for ensuring the security
of the systems and transactions with
respect to the rights of data subjects
Responsible for oversight of EU privacy,
data protection, & security compliance
Advise CPO on when a DPIA is necessary
& the risk-based methodology to use;
review risks identified by DPIA for GDPR
compliance
Advise the CPO & CISO on meeting GDPR
documentation requirements, mitigating
security controls, whether controls have
been accurately carried out
Advise the organization on whether it is
appropriately respecting the rights of
data subjects
* The DPO may benefit from support from a Data Protection Office.
* The DPO may be physically located in another jurisdiction.
21. The war for talent & how companies are staffing
the DPO role
22.
23. Contact Info:
Debra J. Farber
debra.farber@craniumusa.com
@privacyguru @CraniumUSA
https://www.linkedin.com/in/privacyguru
24. HackerOne Response: The VDP SaaS Platform
Benefits of a VDP Platform
Better signal:noise ratio
Decorate reports with industry standards (cvss, cwe, affected asset)
Better data security via encryption
Streamlined workflow and comms process
Easier and more informative reporting
DOWNLOAD THE FREE E-BOOK
Email is not a very good
mechanism for tracking multiple
cases at once. Vendors...should
consider setting up a web-based
case tracking system instead.
CERT CVD Guide, page 58
Section 7.1.1.1 and 7.1.4
GDPR requires companies to maintain “...a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational
measures for ensuring the security of the processing,” which is exactly where bug bounties fit in.
Our specialized product for PSIRT teams, HackerOne Response, has helped orgs like GM, DoD, and Adobe achieve their goals