Try casting your mind back to two years ago? Back then, organisations were busy preparing for the General Data Protection Regulation, our email inboxes were brimming with consent requests and at business conferences the topic of privacy was unavoidable. An entire privacy industry formed dedicated to achieving and maintaining compliance with the new laws. I know. I was part of it. Two years on, where are we?
Dominic Fisher of ARQ Group reviews the privacy landscape and options facing organisations.
Since GDPR went live I am sure we have all heard of some of the egregious failings. Locally, the Lands Authority case springs to mind. Internationally the Marriott Hotel Group suffered an enormous breach affecting 100s of millions of customers. On the other hand, below the radar, in organisations which have taken privacy seriously and designed their processes with privacy in mind, data protection protocols have become embedded within the organisation. Entities should have reached the ‘business as usual’ stage by now and in reaching that milestone many local firms have discovered that having a fully dedicated privacy professional is excessive to their needs – full time data protection officers (DPOs) have taken on other responsibilities and part time DPOs have become more part time. There’s a risk that privacy practices become so ‘embedded’ that they disappear.
For certain types of organisations a DPO is a regulatory requirement. For any organisation, having a DPO shows a commitment to the privacy principle of accountability which is likely to be welcomed by all stakeholders, not least privacy regulators. As set out in Article 39 of the GDPR, the basic, mandatory tasks of the DPO are to:
- Ensure awareness of the organisation’s privacy obligations at law;
- Co-operate with regulatory authorities;
- Monitor compliance with data privacy policies and procedures; and
- Advise on Data Protection Impact Assessments (which should be carried for certain new types of processing).
The DPO would also get involved with data subject requests, dealing with actual or potential breaches and as an internal sounding board on any matters having a privacy dimension.
To achieve independent, reliable and proportionate privacy arrangements outsourcing is an option worth considering. The GDPR is clear on the permissibility of such arrangements. Article 37.6 of the Regulation states that even the core role of the Data Protection Officer can be fulfilled ‘on the basis of a service contract’.
Such a written contract should clearly state the roles and responsibilities of the outsourced provider. The work involved for certain elements, such as training and oversight, can be estimated with a good degree of certainty and can be covered with a fixed fee. Other elements such as dealing with data subject requests or breach handling would be variable in nature.
From a value perspective, the key benefits of an outsourced arrangement are efficiency and flexibility. Like a doctor examining a patient, an experienced and expert privacy professional will be familiar with the vast majority of privacy cases that he or she encounters and can make a swift and suitable diagnosis. Your service provider should also have ready access to a back up team to provide support for trickier situations or where specialist skills are required.
Privacy obligations aren’t going to disappear. For many organisations outsourcing is a sensible option to achieve your privacy objectives within a budget. For more information about ARQ’s privacy team can assist you contact Dominic Fisher at [email protected].