The Data Protection Officer

The EU's General Data Protection Regulation created the position of corporate Data Protection Officer (DPO), who is empowered to ensure the organization is compliant with all aspects of the new data protection regime. Organizations must now appoint and designate a DPO. The specific definitions and building blocks of the data protection regime are enhanced by the new General Data Protection Regulation and therefore the DPO will be very active in passing the message and requirements of the new data protection regime throughout the organization. This book explains the roles and responsiblies of the DPO, as well as highlights the potential cost of getting data protection wrong.

What is DATA PROTECTION OFFICER (DPO)?A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for managing data protection strategy and execution to ensure compliance with GDPR requirements.Entities will have to make considerable efforts to get their data protection organization into compliance with the GDPR. Different organizational requirements will have to be fulfilled.Records of Processing Activities Controllers and processors will have to implement records of their processing activities that will--if thoroughly maintained--permit to prove compliance with the GDPR towards the Supervisory Authorities and help to fulfil the information obligations towards the data subjects. Records must contain, inter alia, information on the purposes of processing, the categories of data that are affected and a description of the technical and organizational security measures applied.

The EU General Data Protection Regulation (GDPR) is coming into force in 2018. This book details the dynamics of the designated Data Protection Officer role including the underlying requirements, skills and activities involved in starting up or developing privacy programmes and in building a culture that supports privacy and security of data.

This handbook provides practical guidance for the (junior, medior and senior) Data Protection Officer (DPO) to assemble a work plan as per applicable EU GDPR guidelines. At present EU's GDPR is largely recognized as a gold standard all over the world, also for the ever-growing community of DPOs as per national legislations. This publication is part of official mandatory training materials for Certified Data Protection Officer from the European Association of Data Protection Professionals (EADPP) as per the EADPP CDPO Certification Scheme and applicable CDPO Body of Knowledge (Part D) as provided by Privacad. The practical approach followed in this richly illustrated handbook is of relevance for any (future) Data Protection Officer active in any part of the World performing tasks as per local, regional or international norms and regulations. This books explicitly explains the roles and responsibilities of the DPO as envisaged in the GDPR. As stated by the European Data Protection Board (EDPB) it is best practice for the DPO to have a work plan. What does such a work plan look like? Providing an answer to that question lies at the core of this publication. Two key pillars are followed to assemble a professional and practical DPO work plan. First, the text as enshrined in the General Data Protection Regulation (GDPR) itself codifies an important line of orientation in the embodiment of Articles 37 to 39 of the GDPR in which the designation, positions and tasks of the DPO are discussed. Second, the typical role the DPO is playing in the "daily data protection practice" which can be inferred from, among others, an action plan (or work plan) from an enterprise (institution or organisation). In pursuit of compliance with the obligations pursuant to the GDPR, at least the following steps usually be distinguished. Establish GDPR (privacy and data protection) policies. Make an inventory of personal data. Perform a GDPR (privacy and data protection) baseline. Perform a GDPR (privacy and data protection) gap-analysis. Perform a GDPR (privacy and data protection) implementation. Perform GDPR (privacy and data protection) review and update. Perform GDPR (privacy and data protection) assurance and audit. Compose and communicate the GDPR accountability and reports. According to the European Data Protection Board (formerly operating as WP29), the DPO (or the organisation) should avail of a work plan which the organisation will use as a basis for providing, among others, 'necessary resources' for the DPO. With the entry into force of the GDPR as of 25 May 2018, the need to work on professional maturity of the Data Protection Officer (DPO) became more and more urgent. This handbook is part of the 'Privacy and Data Protection' series offered under auspices of Honorary Visiting Professor Romeo Kadir, acting Editor-in-Chief and author of the first publications in this series. At present professor Romeo Kadir (with over 25 years of experience as privacy and data protection professional) is Constituent President of the GDPR Certification Committee Academic Board of the European Association of Data Protection Professionals (EADPP) and President of the European Institute for Privacy, Audit, Compliance and Certification (EIPACC) and lecturer with the International Privacy Academy (Privacad). He holds several positions as Board Member, Corporate Consultant and Government Advisor related to privacy and data protection affairs.

The EU's General Data Protection Regulation created the position of corporate Data Protection Officer (DPO), who is empowered to ensure the organization is compliant with all aspects of the new data protection regime. Organizations must now appoint and designate a DPO. The specific definitions and building blocks of the data protection regime are enhanced by the new General Data Protection Regulation and therefore the DPO will be very active in passing the message and requirements of the new data protection regime throughout the organization. This book explains the roles and responsiblies of the DPO, as well as highlights the potential cost of getting data protection wrong.

Large-scale data loss continues to make headline news, highlighting the need for stringent data protection policies, especially when personal or commercially sensitive information is at stake. This book provides detailed analysis of current data protection laws and discusses compliance issues, enabling the reader to construct a platform on which to build internal compliance strategies. The author is chair of the National Association of Data Protection Officers (NADPO).

GDPR: Personal Data Protection in the European Union Mariusz Krzysztofek Personal data protection has become one of the central issues in any understanding of the current world system. In this connection, the European Union (EU) has created the most sophisticated regime currently in force with the General Data Protection Regulation (GDPR) (EU) 2016/679. Following the GDPR’s recent reform – the most extensive since the first EU laws in this area were adopted and implemented into the legal orders of the Member States – this book offers a comprehensive discussion of all principles of personal data processing, obligations of data controllers, and rights of data subjects, providing a thorough, up-to-date account of the legal and practical aspects of personal data protection in the EU. Coverage includes the recent Court of Justice of the European Union (CJEU) judgment on data transfers and new or updated data protection authorities’ guidelines in the EU Member States. Among the broad spectrum of aspects of the subject covered are the following: – right to privacy judgments of the CJEU and the European Court of Human Rights; – scope of the GDPR and its key definitions, key principles of personal data processing; – legal bases for the processing of personal data; – direct and digital marketing, cookies, and online behavioural advertising; – processing of personal data of employees; – sensitive data and criminal records; – information obligation & privacy notices; – data subjects rights; – data controller, joint controllers, and processors; – data protection by design and by default, data security measures, risk-based approach, records of personal data processing activities, notification of a personal data breach to the supervisory authority and communication to the data subject, data protection impact assessment, codes of conduct and certification; – Data Protection Officer; – transfers of personal data to non-EU/EEA countries; and – privacy in the Internet and surveillance age. Because the global scale and evolution of information technologies have changed the data processing environment and brought new challenges, and because many non-EU jurisdictions have adopted equivalent regimes or largely analogous regulations, the book will be of great usefulness worldwide. Multinational corporations and their customers and contractors will benefit enormously from consulting and using this book, especially in conducting case law, guidelines and best practices formulated by European data protection authorities. For lawyers and academics researching or advising clients on this area, this book provides an indispensable source of practical guidance and information for many years to come.