Data Protection Officer

The EU's General Data Protection Regulation created the position of corporate Data Protection Officer (DPO), who is empowered to ensure the organization is compliant with all aspects of the new data protection regime. Organizations must now appoint and designate a DPO. The specific definitions and building blocks of the data protection regime are enhanced by the new General Data Protection Regulation and therefore the DPO will be very active in passing the message and requirements of the new data protection regime throughout the organization. This book explains the roles and responsiblies of the DPO, as well as highlights the potential cost of getting data protection wrong.

What is DATA PROTECTION OFFICER (DPO)?A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for managing data protection strategy and execution to ensure compliance with GDPR requirements.Entities will have to make considerable efforts to get their data protection organization into compliance with the GDPR. Different organizational requirements will have to be fulfilled.Records of Processing Activities Controllers and processors will have to implement records of their processing activities that will--if thoroughly maintained--permit to prove compliance with the GDPR towards the Supervisory Authorities and help to fulfil the information obligations towards the data subjects. Records must contain, inter alia, information on the purposes of processing, the categories of data that are affected and a description of the technical and organizational security measures applied.

The EU General Data Protection Regulation (GDPR) is coming into force in 2018. This book details the dynamics of the designated Data Protection Officer role including the underlying requirements, skills and activities involved in starting up or developing privacy programmes and in building a culture that supports privacy and security of data.

This handbook provides practical guidance for the (junior, medior and senior) Data Protection Officer (DPO) to assemble a work plan as per applicable EU GDPR guidelines. At present EU's GDPR is largely recognized as a gold standard all over the world, also for the ever-growing community of DPOs as per national legislations. This publication is part of official mandatory training materials for Certified Data Protection Officer from the European Association of Data Protection Professionals (EADPP) as per the EADPP CDPO Certification Scheme and applicable CDPO Body of Knowledge (Part D) as provided by Privacad. The practical approach followed in this richly illustrated handbook is of relevance for any (future) Data Protection Officer active in any part of the World performing tasks as per local, regional or international norms and regulations. This books explicitly explains the roles and responsibilities of the DPO as envisaged in the GDPR. As stated by the European Data Protection Board (EDPB) it is best practice for the DPO to have a work plan. What does such a work plan look like? Providing an answer to that question lies at the core of this publication. Two key pillars are followed to assemble a professional and practical DPO work plan. First, the text as enshrined in the General Data Protection Regulation (GDPR) itself codifies an important line of orientation in the embodiment of Articles 37 to 39 of the GDPR in which the designation, positions and tasks of the DPO are discussed. Second, the typical role the DPO is playing in the "daily data protection practice" which can be inferred from, among others, an action plan (or work plan) from an enterprise (institution or organisation). In pursuit of compliance with the obligations pursuant to the GDPR, at least the following steps usually be distinguished. Establish GDPR (privacy and data protection) policies. Make an inventory of personal data. Perform a GDPR (privacy and data protection) baseline. Perform a GDPR (privacy and data protection) gap-analysis. Perform a GDPR (privacy and data protection) implementation. Perform GDPR (privacy and data protection) review and update. Perform GDPR (privacy and data protection) assurance and audit. Compose and communicate the GDPR accountability and reports. According to the European Data Protection Board (formerly operating as WP29), the DPO (or the organisation) should avail of a work plan which the organisation will use as a basis for providing, among others, 'necessary resources' for the DPO. With the entry into force of the GDPR as of 25 May 2018, the need to work on professional maturity of the Data Protection Officer (DPO) became more and more urgent. This handbook is part of the 'Privacy and Data Protection' series offered under auspices of Honorary Visiting Professor Romeo Kadir, acting Editor-in-Chief and author of the first publications in this series. At present professor Romeo Kadir (with over 25 years of experience as privacy and data protection professional) is Constituent President of the GDPR Certification Committee Academic Board of the European Association of Data Protection Professionals (EADPP) and President of the European Institute for Privacy, Audit, Compliance and Certification (EIPACC) and lecturer with the International Privacy Academy (Privacad). He holds several positions as Board Member, Corporate Consultant and Government Advisor related to privacy and data protection affairs.

Privacy and data protection in police work and law enforcement cooperation has always been a challenging issue. Current developments in EU internal security policy, such as increased information sharing (which includes the exchange of personal data between European law enforcement agencies and judicial actors in the area of freedom, security and justice (Europol, Eurojust, Frontex and OLAF)) and the access of EU agencies, in particular Europol and Eurojust, to data stored in European information systems such as the SIS (II), VIS, CIS or Eurodac raise interesting questions regarding the balance between the rights of individuals and security interests. This book deals with the complexity of the relations between these actors and offers for the first time a comprehensive overview of the structures for information exchange in the area of freedom, security and justice and their compliance with data protection rules in this field.

The complexities of implementing the General Data Protection Regulation (GDPR) continue to grow as it progresses through new and ever-changing technologies, business models, codes of conduct, and decisions of the supervisory authorities, and the courts. This eminently practical guide to implementing the GDPR – written in an original, problem-solving style by a highly experienced data protection expert with equal knowledge of both law and technology – provides a step-by-step project management approach to building a GDPR-compliant data protection system, assessing, and documenting the risks and then implementing these changes through processes at the operational level. With detailed attention to case law (Member State, ECJ, and ECHR), especially where affecting high-risk areas that have attracted scrutiny, the guidance proceeds systematically through such topics and issues as the following: required documentation, policies, and procedures; risk assessment tools and analysis frameworks; children’s data; employee and health data; international transfers post-Schrems II; data subject rights including the right of access; data retention and erasure; tracking and surveillance; and effects of technologies such as artificial intelligence, biometrics, and machine learning. With its practical examples derived from the author’s experience in building GDPR-compliant software, as well as its analysis of case law and enforcement priorities, this incomparable guide enables company data protection officers and compliance staff to advise on key issues with full awareness of the legal and reputational risks and how to mitigate them. It is also sure to be of immeasurable value to concerned regulators and policymakers at all government levels. “…it's going to be the go to resource for practitioners.” Tom Gilligan, Data Protection Consultant, September 2021 "I purchased this book recently and I’m very glad I did. It’s the textbook I have been waiting for. As someone relatively new to data protection, I was finding it very difficult to find books on the practical side of data protection. This book is very clearly laid out with practical examples and case law given for each topic, which is immensely helpful. I would recommend it to any data protection practitioners." Jennifer Breslin, LLM CIPP/E, AIPP Member

Large-scale data loss continues to make headline news, highlighting the need for stringent data protection policies, especially when personal or commercially sensitive information is at stake. This book provides detailed analysis of current data protection laws and discusses compliance issues, enabling the reader to construct a platform on which to build internal compliance strategies. The author is chair of the National Association of Data Protection Officers (NADPO).