In one of my previous blogs I talked about the role of Inspector. Being able to adequately fulfil this role implicitly presupposes the appointment of a GDPR project manager, or Privacy Officer as we like to refer to the function, this being the first step towards a GDPR-related governance structure. In this blog I will further elaborate on the actual implementation of this type of governance structure.
Our experience shows that the individuals appointed as ‘GDPR project manager’ very often lack the means and mandate to actually accomplish the challenging task assigned to them, in many cases as a result of the Board’s failure to understand that GDPR compliance is very similar to fiscal compliance and should be tackled along the same lines.
Taking this into consideration, we believe that there are two key decisions to be made at the start of any GDPR implementation journey. The first being the appointment of a board member responsible for the GDPR portfolio, the second being the assignment of a Privacy Officer with a clear mandate from the organisation’s Board of Directors. These are the essential first steps to be taken for an organisation to be ready to set out on the road to GDPR implementation with any chance of success.
Moreover, it is very important that these two decisions are clearly understood to be initial steps in the implementation of what is to become an overall GDPR-related governance structure within the organisation. They must be followed up on by other, equally important steps, including the formation of a Privacy Team as implicitly referred to in Art. 24(1) juncto Art. 39(1)(b) of the GDPR. Implicitly, because Article 39(1)(b) of the GDPR mentions the necessity of “assigning responsibilities”, whereas Article 24(1) states that measures taken to achieve GDPR compliance must be “reviewed and updated where necessary”. Paraphrasing the latter requirement in terms of the Privacy Factory methodology, the implementation process must be executed by a Privacy Team using a Plan-Do-Check-Act approach.
The next step is performing a business risk assessment in accordance with Art. 24 of the GDPR, “taking into account… the risks of varying likelihood…” with the aim of identifying potential risks to the rights and freedoms of natural persons and possible vulnerabilities in the protection of personal data. The result of this assessment should be a list of business processes that require technical and/or organisational revision or improvement in order for the organisation to become or remain privacy accountable, and increasingly also to protect brand reputation and maintain customer trust.
Designate a Data Protection Officer
Once the Privacy Team is in place and risks have been identified, the question whether or not the organisation, ex Article 37 of the GDPR, has to designate a Data Protection Officer needs to be addressed. This involves a privacy activity to be allocated to the board member to whom the CEO or Chairman of the Board has assigned the GDPR portfolio.
The next important matter to be dealt with, from a governance perspective, is the requirement, ex Article 38(3) of the GDPR, that this DPO, if assigned, reports directly to the highest management level within the organisation. According to Article 37 of the GDPR, the Data Protection Officer is entitled to do so.
But what if there is no obligation to designate a Data Protection Officer? We believe that in this scenario, the right to report directly to the highest level of management should also be negotiated – prior to appointment – for the Privacy Officer. In our opinion, it is equally essential for a Privacy Officer (as it is for the DPO) to have access to the organisation’s highest management level (CEO, Chairman of the board) when it comes to reporting on the status of privacy accountability. Because at the end of the day, it is this highest level of management that will be held responsible for the organisation’s GDPR accountability status. For a controller to be ‘screened off’ from GDPR realities within his organisation is never an option.
The Privacy Factory