ToolsEmail Marketing | Personalize and Customize Your Messages, Contact Relationship Management Software
5 min read
5 min read
Welcome to another week of the GDPR Overview blog series! This week we will learn what a DPO is, how your organization should respond to data breaches, and what the penalties are for failure to comply with the regulation.
Let's dive in.
You may have heard the term "DPO" tossed around in regard to the General Data Protection Regulation, but what does this actually mean?
A DPO is a data protection officer. Data protection officers' responsibilities include, among others, helping your organization ensure its activities remain in compliance with GDPR; advising the organization on data protection issues and any data protection impact assessments (a process to identify data protection risks for a specific project); and being the first point of contact for those whose data is being processed as well as any necessary regulatory authority. The DPO is not personally responsible or liable for data protection compliance. This is still up to the controller or processor, however, the DPO does play a vital part to ensuring the organization is fulfilling its appropriate data protection obligations.
Your next question is probably asking whether your organization needs to appoint at data protection officer. There are a couple situations in which it is mandatory for an organization to appoint DPO, for example:
Public authorities include bodies that are linked to the government; provide a public service; are regulated or supervised by the state; have charitable objectives; have powers that are enforceable upon the public; or whose rights and responsibilities are found in public, rather than private law. Court systems, however, are excluded from having to appoint a DPO when they are acting in their judicial capacity.
It doesn't matter whether your organization is a data controller or a data processor; if it meets any of the above criteria then you must appoint a data protection officer. On the other hand, your organization may choose to appoint a DPO even if you don't have to. Although, voluntarily appointing a DPO requires your organization to comply with the position's requirements just the same as if the appointment was mandatory.
So who can be appointed as a DPO?
A DPO can either be a current employee of your organization or they can be someone hired from the outside. They should have an extensive knowledge of data protection law, proportionate to the amount of data processing carried out by the organization. It also helps if they are well-acquainted with your organization's industry and processing tasks so they are able to provide the proper oversight and support.
A single DPO can be shared between multiple companies. They must be able to carry out all their tasks effectively and realistically and be provided the necessary resources in order to be able to do so.
One of the DPO's primary functions is to be the first point of contact in the case of a breach of personal data.
What constitutes a breach?
A breach is a lapse in security that results in the accidental (or purposeful) destruction, modification, loss, unauthorized disclosure of, or access to, personal data under the care of your organization. Breaches can include access by an unauthorized third party, the theft or loss of devices containing personal data, the sending of data to an incorrect recipient, the unauthorized modification of personal data, or the loss of availability of the data.
If the data breach is likely to present a risk to the rights and freedoms of the data subjects, then the organization must report the breach to the proper supervisory authority. However, if the breach has a low risk of affecting these rights and freedoms, it does not need to be reported. However, the organization should document whichever decision it makes so it is able to justify it down the road if necessary.
If the breach is serious enough to warrant notification, the organization must do so "with undue delay," within 72 hours of the discovery of the breach, in accordance with GDPR. If the organization takes longer than this to notify the appropriate authority or the affected data subjects, they must be able to provide a reason for the delay. It may be the case that the organization will not know the cause of the breach or other relevant information within the required 72-hour notification period. In the event that not a lot of information is known about the breach, the organization will still be required to provide the initial notification to the appropriate authority, however they provide the details in phases and let them know when to expect further information.
If the organization fails to notify the appropriate authorities and individuals, or is otherwise deemed non-compliant with the regulation, it can result in some pretty hefty penalties.
Which brings us to our next topic.
Now that we know more about GDPR and its requirements, perhaps the most important thing to be aware of is what happens when an organization fails to comply with the regulation.
When determining whether an organization is non-compliant, under GDPR there is a list of 10 criteria to consider:
Non-compliance to any item under GDPR will result in significant fines toward the organization. However, the fine amount will depend on the level of non-compliance.
So, what can we expect?
Well, for lesser offenses involving data controllers and processors, certification bodies, and/or monitoring bodies, the penalty for not complying with GDPR can be a fine of up to €10 million (roughly $11.9 million USD) over the past financial year. Or, if two percent of the organization's worldwide annual revenue is greater than this amount, that would be the fine imposed.
For greater offenses committed under GDPR, the penalty can be a fine of up to €20 million (roughly $23.7 million USD), or four percent of the organization's worldwide annual revenue over the last year, whichever amount is greater. These types of infractions can include those related to:
Furthermore, if an organization is deemed non-compliant in multiple aspects of GDPR, they will be fined in accordance to the greatest offense.
There we have it. Now we can see how important it is to make sure your organization is compliant with the new GDPR. Compliance is especially vital for smaller organizations who are more likely to be hit harder by potential fines of this magnitude. This is why preparation is key and awareness is critical to be sure that all the proper procedures are put in place before the May 25th enforcement date.
That's it for this week in the GDPR Overview series. Join us tomorrow for a wrap up of all the topics covered this last several weeks.