Data Protection Officers (DPOs) are required to oversee an IT security strategy compliant with a myriad of GDPR requirements across the EU. If you’re reading this, you may be a newly appointed DPO, or responsible for naming one.
DPO’s are required in public agencies, in businesses that conduct regular and systematic monitoring of data subjects on a “large scale” and in cases where personal information that falls into “special categories of personal data” – such as that revealing racial or ethnic origin, political opinions, genetic information, and biometric identity markers. And in Germany, the German Federal Data Protection Act has made this regulation more stringent, essentially requiring every business with more than 10 employees to appoint a DPO. A credible estimate has been that 28,000 DPOs will be appointed or newly hired across 28 EU countries. (source: iapp.org)
As we count down to May 25, what should be the top priorities of newly named DPOs? Here are six actionable suggestions to complete prior to the deadline:
- Lay out a plan for breach response that you can execute within Article 33’s timeframe of 72 hours, including maintaining an accessible customer list with contacts.
- Advise your company’s employees of GDPR and provide a package of available education, training – this can take the form of articles, webinars, podcasts.
- Designate people in your organization who will handle data requests from customers (Articles 15 through 22). Such requests – which can include correction, removal, or receipt of a copy – must be executed within 30 days.
- Conduct a data security audit. Document and understand what personal data your organization stores, how long it’s retained, and who it’s shared with. Determine and codify your breach detection measures that are in place.
- Update privacy and consent notices and forms so that customers can opt in or out of communication, and clarify the process in writing for requesting to have personal data “forgotten” and purged.
- Test all processes above, with completion prior to May 25 – test scenarios including a response to data requests, verification of individual identity, flagging PII in your systems, data purge requests, consent form submission and processing, breach detection, and breach notification.
The EU is now at the global forefront of taking privacy matters seriously and backing up protection of privacy rights, with hard policies that contain teeth. Obviously, continued compliance efforts will be needed – it’s simply no longer an option to incur a data breach, and proactive, vigilant measures to mitigate such risk, are now in the hands of the new cadre of Data Privacy Officers across the European continent.
An advanced cybersecurity program is imperative in protecting against data breaches that will carry severely punitive fines after May 25, 2018 – ranging from 2-4% of annual company revenue. Crossmatch can help Data Protection Officers fully protect against costly data breaches. Only DigitalPersona offers a human hack-proofed solution that delivers the right level of security through the broadest possible selection of authentication factors – delivering a completely frictionless user experience that provides the strongest data protection available in the industry.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.