Organisations have had to get a lot more serious about data processing and information security since the EU GDPR (General Data Protection Regulation) came into effect earlier this year. For many, that has included the mandatory appointment of a DPO (data protection officer) to ensure key requirements of the Regulation are being met.
But with so many uncertainties about what effective data protection should look like, many DPOs have been thrust into the role without time to think about how best to approach their tasks.
That’s why we sought the advice of information security consultant James Turland, and Alan Calder, IT Governance’s founder and executive chairman, who recently presented a webinar on data breaches and the DPO role.
Q: What’s one piece of advice you’d give to a DPO for preparing for a data breach?
JT: A documented, tested and clearly communicated incident response plan is fundamental in preparing and responding to a data breach. This goes hand in hand with an incident response team who have sufficient authority, autonomy and expertise to make the decisions necessary to contain, treat and recover from the incident.
AC: The key thing to think about with data breaches is that you’re going to be breached. Every organisation is going to suffer a data breach sooner or later. And it’s going to be on a regular basis. You’re not going to get through multiple years without a data breach of any sort, bearing in mind that breaches can be caused by outside attackers as well as insider error.
Q: How can an organisation prepare for a data breach?
JT: Form an incident response team and create realistic incident response plans derived from an asset-based risk assessment.
AC: Most organisations don’t know when they’ve been breached, because they have no mechanism to identify breaches. You can’t expect a data breach to be something which always manifests itself in the form of a locked workstation or a server which is out of commission.
Q: What does the future look like for data protection?
JT: This is the start of a significant change in the data protection landscape. Increasingly we are seeing the necessity for assurance from information security standards such as ISO 27001 and attestation towards the effectiveness of controls such as SOC 2 brought about from the evolving threat landscape partnered with high-profile breaches. Customers and clients are requiring increasing assurances as to the cyber security controls in place within organisations and this is well overdue!
AC: Over the next five to seven years, we’ll see cyber resilience become more of a focus for organisations’ cyber security activity. The impact of a data breach has got to be controlled through how you lock down after the breach and how you inform affected data subjects.
Q: Has the GDPR made a difference to the data protection landscape?
JT: The GDPR has enforced the necessity to protect personally identifiable information. Furthered by the introduction of the NIS Directive, both of these initiatives have changed the way in which businesses consider their cyber security posture. All business, no matter how large or small, will be affected and required to consider their legal and regulatory obligations.
AC: One of the key issues the GDPR addresses is organisations’ preparedness for data breaches. [It outlines] a number of things you can [do] to ensure that you deal with a breach effectively.
[This includes] tracking the data you process as much as you can, so when there is a breach you can quickly identify what data is at risk.
How a DPO helps
A DPO is responsible for overseeing an organisation’s data protection practices. It’s their job to consider questions like the ones we’ve addressed here, and make sure the organisation(s) they represent stays ahead of the game.
With a DPO, organisations can be sure that they have a data protection expert looking out for them. Their responsibilities include:
- Advising staff on their data protection responsibilities;
- Monitoring the organisation’s data protection policies and procedures;
- Advising management on the necessity of DPIAs (data protection impact assessments);
- Serving as the point of contact between the organisation and its supervisory authority regarding data protection issues; and
- Serving as the point of contact for individuals on privacy matters, such as DSARs (data subject access requests).
Where to find a DPO
Finding a DPO can be tough. Candidates must have a strong understanding of data protection law, information security technology and how to implement and manage data protection programmes.
The good news is that the GDPR gives organisations several options for finding someone who meets these requirements. The role can be filled internally, with the employee either focusing exclusively on their DPO responsibilities or performing the necessary tasks alongside their existing role (provided there is no conflict of interest between the two positions).
Alternatively, the role can be outsourced, with several organisations sharing a DPO. This is ideal for smaller businesses, as their data processing activities probably aren’t substantial enough to require a full-time DPO.
If you’re interested in outsourcing your DPO responsibilities, you should consider our DPO as a service solution.
One of our data protection experts will act as a remote DPO, working with you to understand your organisation and its compliance requirements. They’ll complete the necessary tasks and provide you with guidance whenever you need it.