Welcome to another week of the GDPR Overview blog series! This week we will learn what a DPO is, how your organization should respond to data breaches, and what the penalties are for failure to comply with the regulation.
Let's dive in.
What's a DPO?
You may have heard the term "DPO" tossed around in regard to the General Data Protection Regulation, but what does this actually mean?
A DPO is a data protection officer. Data protection officers' responsibilities include, among others, helping your organization ensure its activities remain in compliance with GDPR; advising the organization on data protection issues and any data protection impact assessments (a process to identify data protection risks for a specific project); and being the first point of contact for those whose data is being processed as well as any necessary regulatory authority. The DPO is not personally responsible or liable for data protection compliance. This is still up to the controller or processor, however, the DPO does play a vital part to ensuring the organization is fulfilling its appropriate data protection obligations.
Your next question is probably asking whether your organization needs to appoint at data protection officer. There are a couple situations in which it is mandatory for an organization to appoint DPO, for example:
- If your organization is a public authority
- If your organization's core activities involve monitoring individuals regularly on a large scale (e.g. online behavior tracking)
- If your organization's core activities require you to process individual's data considered to be "special category" pertaining to the justice system.
Public authorities include bodies that are linked to the government; provide a public service; are regulated or supervised by the state; have charitable objectives; have powers that are enforceable upon the public; or whose rights and responsibilities are found in public, rather than private law. Court systems, however, are excluded from having to appoint a DPO when they are acting in their judicial capacity.
It doesn't matter whether your organization is a data controller or a data processor; if it meets any of the above criteria then you must appoint a data protection officer. On the other hand, your organization may choose to appoint a DPO even if you don't have to. Although, voluntarily appointing a DPO requires your organization to comply with the position's requirements just the same as if the appointment was mandatory.
So who can be appointed as a DPO?
A DPO can either be a current employee of your organization or they can be someone hired from the outside. They should have an extensive knowledge of data protection law, proportionate to the amount of data processing carried out by the organization. It also helps if they are well-acquainted with your organization's industry and processing tasks so they are able to provide the proper oversight and support.
A single DPO can be shared between multiple companies. They must be able to carry out all their tasks effectively and realistically and be provided the necessary resources in order to be able to do so.
Data Breach Obligations
One of the DPO's primary functions is to be the first point of contact in the case of a breach of personal data.
What constitutes a breach?
A breach is a lapse in security that results in the accidental (or purposeful) destruction, modification, loss, unauthorized disclosure of, or access to, personal data under the care of your organization. Breaches can include access by an unauthorized third party, the theft or loss of devices containing personal data, the sending of data to an incorrect recipient, the unauthorized modification of personal data, or the loss of availability of the data.
If the data breach is likely to present a risk to the rights and freedoms of the data subjects, then the organization must report the breach to the proper supervisory authority. However, if the breach has a low risk of affecting these rights and freedoms, it does not need to be reported. However, the organization should document whichever decision it makes so it is able to justify it down the road if necessary.
If the breach is serious enough to warrant notification, the organization must do so "with undue delay," within 72 hours of the discovery of the breach, in accordance with GDPR. If the organization takes longer than this to notify the appropriate authority or the affected data subjects, they must be able to provide a reason for the delay. It may be the case that the organization will not know the cause of the breach or other relevant information within the required 72-hour notification period. In the event that not a lot of information is known about the breach, the organization will still be required to provide the initial notification to the appropriate authority, however they provide the details in phases and let them know when to expect further information.
Upon Failure to Comply
If the organization fails to notify the appropriate authorities and individuals, or is otherwise deemed non-compliant with the regulation, it can result in some pretty hefty penalties.
Which brings us to our next topic.
Now that we know more about GDPR and its requirements, perhaps the most important thing to be aware of is what happens when an organization fails to comply with the regulation.
When determining whether an organization is non-compliant, under GDPR there is a list of 10 criteria to consider:
- Nature of infringement: The scope of the infraction (e.g. the number of people affected, damages suffered, duration of the incident, and the purpose of the processing).
- Intention: Whether the infraction was intentional or caused by negligence.
- Mitigation: Whether actions have been taken to alleviate the damages to those affected.
- Preventative measures: Whether the organization made any previous preparations to prevent non-compliance, and how much.
- History: Whether the organization has any past data protection infractions (not just under GDPR but any data protection legislation).
- Cooperation: Whether the organization has been cooperative with the appropriate authorities to mitigate the infraction's effects.
- Data type: What kinds of data have been affected (i.e. whether any "special category" data was involved).
- Notification: Whether the infraction was reported "without undue delay" to the appropriate authority by the organization or a third party.
- Certification: Whether the organization qualified under approved certifications or complied with approved codes of conduct.
- Other: Any other contributing factors that may include financial impact on the organization from the infraction.
Non-compliance to any item under GDPR will result in significant fines toward the organization. However, the fine amount will depend on the level of non-compliance.
So, what can we expect?
Well, for lesser offenses involving data controllers and processors, certification bodies, and/or monitoring bodies, the penalty for not complying with GDPR can be a fine of up to €10 million (roughly $11.9 million USD) over the past financial year. Or, if two percent of the organization's worldwide annual revenue is greater than this amount, that would be the fine imposed.
For greater offenses committed under GDPR, the penalty can be a fine of up to €20 million (roughly $23.7 million USD), or four percent of the organization's worldwide annual revenue over the last year, whichever amount is greater. These types of infractions can include those related to:
- The basic principles for processing (including consent requirements)
- Rights of individuals in the processing of their information
- Personal data transfers in a third country or international organizations
- Non-compliance with an order from a data protection authority
Furthermore, if an organization is deemed non-compliant in multiple aspects of GDPR, they will be fined in accordance to the greatest offense.
There we have it. Now we can see how important it is to make sure your organization is compliant with the new GDPR. Compliance is especially vital for smaller organizations who are more likely to be hit harder by potential fines of this magnitude. This is why preparation is key and awareness is critical to be sure that all the proper procedures are put in place before the May 25th enforcement date.
Next week in the GDPR Overview series…
That's it for this week in the GDPR Overview series. Join us tomorrow for a wrap up of all the topics covered this last several weeks.