Although great for data subject’s control and privacy, most companies do not already have these types of data protection tracking systems. Security teams will have to not only protect the data against traditional threats, but do so in a way that is transparent, documented, and retrievable to possibly large numbers of data subjects, all while maintaining strong security of the data. Every computer security team member will have to be trained in GDPR compliance and what it means to the organizations existing and future security controls.
Many of the participating enterprises, private and public, must have an official data protection officer (DPO). The DPO is a key figure in not only maintaining legal compliance to the GDPR, but needs the technical knowledge or staff to secure data and ensure business continuity. The DPO is expected to operate independent of the organization that employs him or her. The EU felt the DPO position was crucial enough that they issued a separate, more detailed 18-page document about the position.
The DPO position might seem a natural fit for a CSO, and it might be. CSO’s are certainly familiar with technical computer security requirements and controls, as well as interfacing with top management. But a DPO has to have a strong understanding of privacy and compliance requirements, which is typically better understand by chief privacy officers (CPO) or other privacy advocates. On the other hand, privacy officers may not understand the technical side of things. Smaller businesses, with much smaller management teams, may end appointing the employee with the “best fit”, like a comptroller, or even choose an external DPO, which may or may not work with other companies, as well. In all cases, the GDPR requires that the DPO be an independent auditor of compliance and be directly accessible to the data subjects, the complying organization, and GDPR supervisors. When data is collected from the subject, the contact details of the entity’s controller and DPO must be given.
Van Hoof says, “Most large European companies have already hired DPOs, but I’ve seen outsourced DPOs or shared DPOs by smaller and medium-sized businesses.”
Data protection and processing records must be kept and made available for routine and regular inspection, not only by auditors, but by individual data subjects. How will a complying entity ensure that the records are available for individual private inspection, while at the same time kept secure from unauthorized viewers? Will each individual subject require a new identity management tracking and access control system, for what could be potentially millions of data subjects? Probably, at the very least. Or could an organization meet the GDPR requirements by simply printing out an individual’s records and mailing a hard copy to them? These are the important details the DPO, management and security team must work out.
Sign up for CIO Asia eNewsletters.