Outsourcing your organization’s DPO duties? Consider this

The General Data Protection Regulation will come into effect on May 25, 2018, and will provide a modernized compliance framework for data protection. Because of the extraterritorial reach, entities that operate in the U.S. should take note and consider complying with the regulation.  While having a data protection officer, as mandated under the GDPR, is not a new concept and is required for entities operating in countries such as Singapore and Germany, the extraterritorial scope of GDPR greatly broadens the number of companies that may need to hire one. Article 37(1) of GDPR requires the designation of a DPO in the following circumstances: where the processing is carried out by a public authority or body; where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions or offenses.

Due to the extraterritorial scope of GDPR, many companies will be required to spend money on either an internal DPO or a third-party entity such as a law or IT firm to act as their external DPO. According to one study by the IAPP, more than 28,000 new DPOs need to be hired by 2018, and that’s just in the EU and U.S. Applied globally, the IAPP found that number looks more like 75,000. With the shortage of individuals trained to handle DPO responsibilities, it is likely that many entities will look to hire an external third-party DPO. Before hiring an external DPO, entities should consider the following issues:

Can the DPO be adequately involved with an entity’s data privacy program and do the costs justify hiring an external DPO?

Contrary to common belief, a DPO’s duties do not solely involve responding to breach situations and cooperating with supervisory authorities. In addition, the GDPR states that a DPO’s duties are broad and include tasks such as: monitoring an entity’s compliance with GDPR; providing advice when conducting data protection impact assessments; informing the entity and its employee of data protection obligations, and cooperating with various supervisory authorities. Article 29 Working Party’s guidance on DPOs provides further clarification that a DPO should be invited to participate regularly in meetings with senior and middle management and also should be easily accessible within the organization.

Traditionally, law firms and IT consulting firms either charge by the hour or have a fixed budget (or semi-fixed budget) to provide their services. It is important to consider that certain responsibilities, such as attending meetings and monitoring an entity’s compliance with GDPR, may be extremely time consuming and expensive on a per-hour basis. Certain service providers have created a fixed-fee arrangement that may provide cost savings, but at the risk of sacrificing quality by putting less qualified and experienced individuals on certain DPO related duties. In a fixed fee or semi-fixed fee arrangement, an entity should consider the included services along with the experience of the individuals that will be performing those services.

Can the service provider act independently in performing its DPO duties?

According to GDPR Article 38(3) and Article 29 Working Party’s guidance on DPOs, a DPO must perform its duties and tasks in an independent manner. In other words, the DPO must not be instructed on how to deal with a matter and cannot be instructed to take a certain stance related to a data privacy issue. However, for many third party providers, this could be a potential issue, especially if the service provider has many engagements with the entity in question. If an entity has a close prior relationship with the service provider, the line may be easily blurred and may lead to instances where the service provider may be asked or may feel pressure to take a stance in a certain manner.

Does the DPO have other privacy, data security, or IT related engagements with the entity that could potentially create a conflict of interest?

According to GDPR Article 38(6) and Article 29 Working Party’s guidance on DPOs, a DPO is allowed to fulfill other tasks and duties. However, it requires that those tasks and duties do not result in a conflict of interest with its DPO duties. For many service providers, this can be an issue, especially if a service provider has worked with the entity’s management in designing an entity’s privacy program or assisted an entity in interpreting privacy rules and regulations. Service providers may be compelled or feel uncomfortable in making determinations that are contrary to the advice that the service provider provided in a previous engagement. In order to prevent issues of independence, U.S. publicly traded companies often use a different audit firm for Sarbanes Oxley corporate internal controls issues, as compared to general audit services. Other conflicts to consider include hiring the same external DPO as an entity’s Qualified Security Assessor under the Payment Card Industry Rules or hiring the same DPO as an entity’s security-information event-management firm.

Below is a list of questions and issues to consider prior to hiring an external DPO:

  • Do you envision the external DPO being extremely hands on?
  • What kind of fee engagement is the external DPO offering?
  • If the fee engagement is fixed: Are the included services adequate for your organization? Are the individuals handling DPO duties qualified?
  • If the fee engagement is on a per hour basis: Are the rates reasonable given the experience of the individuals performing DPO duties? Are there available discounts for a prepayment of expenses? What kind of duties do you envision the DPO handling?
  • Does the DPO represent other entities in your sector?
  • Does your entity have a close relationship with the external DPO that may cause independence issues?
  • Has the external DPO engaged in any privacy or data security work for your entity in the past? Could that work cause a conflict of interest?

 

This article first appeared in The Privacy Advisor.

Collecting Information From Children In The EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Collecting Information From Children in the EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States there are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information from children under the age of 13, that a website post a specific form of privacy policy that complies with the statute, that a company safeguard the information that is received from a child, and that a company give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes.

 

collecting

Seeing the Silver Lining: 4 Positive Aspects of GDPR for Businesses

Since the General Data Protection Regulation (GDPR) was proposed, IT professionals, lawyers, and consultants have been talking about the potentially game-changing effect that it may have on businesses around the world. Similar to how US citizens in the 1950s and 60s were trained to prepare for a nuclear war, the vast majority of articles and presentations on GDPR relate to how one should prepare for a potential doomsday scenario. The looming risks and challenges to GDPR are real and daunting. Among other things, the regulation has an over-reaching territorial scope, includes the potential requirement of a Data Protection Officer in company practices, and encourages the incorporation of Data Protection Impact Assessments into an amended privacy program. However, there is a silver lining for almost everything, and GDPR compliance is no exception. This article discusses four “silver lining” benefits of GDPR as compared to the current data protection scheme in Europe.

 

Harmonization of EU privacy laws

One of the biggest complaints from companies operating in Europe is that they have to monitor and comply with the laws of 28 different countries. Under the EU Directive 95/96/EC (“EU Directive”), data privacy laws are essentially addressed at the member state level. To put it in another way, the EU Directive provides a framework for EU countries to develop and maintain their own privacy rules and regulations. This results in current data privacy laws essentially being a patchwork of different laws from various member states, which often leads to uncertainty for businesses and their EU-based clients, as well as substantial costs associated with compliance efforts.

Except for employment or national security-related privacy matters, GDPR will allow companies to focus on one all-encompassing, uniform set of data privacy regulations. This has the potential to help small- to mid-sized companies operating in or collecting information from EU residents. Rather than deciding between “full” compliance, which involves spending significant amounts on legal fees and relying on subjective analyses of various EU member state laws, or rolling the dice with non-compliance in certain EU countries, GDPR may permit companies to save costs and reduce risk by following a uniform set of rules that apply to the entire European Union.

 

Lead authority one-stop shop

Under the aforementioned EU Directive, there are over 20 different privacy regulations that a company operating in Europe must comply with. Although the EU Directive created a mechanism that was designed to facilitate communication between member state data protection authorities, investigations and enforcement actions are often done separately by various member states.

While companies would have preferred a system where one single privacy regulator has exclusive competence over regulation, GDPR allows companies to deal with one “lead authority” in the company’s place of main establishment. Various state data protection authorities will still have the ability to investigate and enforce data protection issues if a complaint is directed to them, but they must notify the lead authority of its intention to investigate or take action.

The lead authority will then have three weeks to determine whether it wishes to intervene and operate in a joint manner. While there are other nuances and exceptions, as a whole, GDPR’s designation of a lead authority has the potential to effectively promote various countries to work together on enforcement and investigation matters in a predictable and efficient manner, allowing companies to focus time, energy, and resources on dealing with one regulator.

 

Data breach reporting

The United States does not have a general federal breach reporting statute. Instead, most US states have their own data breach reporting rules and regulations. The current EU Directive also does not contain a general data breach-reporting obligation. Rather, data breach reporting requirements are predetermined by each member country. Some member states like Germany and the Netherlands have implemented data breach reporting obligations, while other countries such as the United Kingdom, Denmark, and Ireland have not. GDPR introduces a general obligation to report data breaches. GDPR Article 33(1) states that the breached entity must, without undue delay, notify the supervisory authority within 72 hours of becoming aware of personal data breach.

GDPR’s breach notification requirement may be advantageous to most companies. Similar to the burden of keeping track of changes in breach reporting statutes in the United States, the current EU Directive creates a burden upon companies to keep track of breach reporting statutes with member countries. For in-house counsel, contract negotiation over data breach provisions can be lessened and streamlined by virtue of the vendor company, providing detailed data breach reporting obligation provisions in their standard contracts as a component of GDPR compliance. Furthermore, it is often hectic during a data breach. In addition to keeping up with breach reporting regulations, breached companies also have to deal with contractual liability, PCI-DSS issues, and internal business/PR issues. Having to report to only one supervisory authority rather than figuring out which member states to report to saves time and energy for in-house counsel, particularly for smaller in-house departments. GDPR allows companies to have one all-encompassing EU data breach response plan.

 

Competitive advantage for GDPR compliant US entities

Compliance with GDPR, in addition to the cost and time savings mentioned above, can also serve as a competitive advantage in the US marketplace. Although not directly applicable in the context of a US-based customer company in most cases, a vendor company has the optical advantage of boasting its compliance with more stringent data privacy regulations in the form of GDPR than required under US law. This engenders trust in the vendor, and provides the customer company with the tangible benefits of transparency, privacy, and security with respect to the vendor’s treatment of the customer’s data. Customer companies are increasingly seeking to rely upon their vendors’ regulatory compliance as part of their overall compliance policies, and vendors that comply with GDPR support furthering those initiatives.

How to Prepare for the General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (the “GDPR”) was adopted by the EU Parliament last April 14, 2016. The GDPR will replace the EU Data Protection Directive (95/46/EC), which was implemented more than 20 years ago. After a two year transition period to integrate the new obligations, the GDPR will be directly applicable in all EU Member States in June 2018.

The GDPR’s aim is to unify data protection law within the European Union and increase data subjects’ rights (I). This involves strengthened obligations for companies in terms of compliance (II), as well as extended powers of Data Protection Authorities (“DPA”) (III)….

gdpr2