This is a test
- 367 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Book details
Book preview
Table of contents
Citations
About This Book
The EU's General Data Protection Regulation created the position of corporate Data Protection Officer (DPO), who is empowered to ensure the organization is compliant with all aspects of the new data protection regime. Organizations must now appoint and designate a DPO. The specific definitions and building blocks of the data protection regime are enhanced by the new General Data Protection Regulation and therefore the DPO will be very active in passing the message and requirements of the new data protection regime throughout the organization. This book explains the roles and responsiblies of the DPO, as well as highlights the potential cost of getting data protection wrong.
Frequently asked questions
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access The Data Protection Officer by Paul Lambert in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
1
SECTION
SECTION
A New Profession
1
CHAPTER
CHAPTER
New Role: New Impact
The newly created position of the corporate data protection officer (DPO) is empowered to ensure that the organization is compliant with all aspects of the new data protection regime. Organizations must now appoint and designate a DPO for the organization. This will be a significant appointment and will have long-term benefits for the organization. The specific definitions and building blocks of the data protection regime are enhanced by the new General Data Protection Regulation (GDPR) and therefore the new DPO will be very active in passing the message and requirements of the new data protection regime throughout the organizationāincluding the benefits. It will also be important to highlight the potential cost of getting data protection wrong.
Organizations need to understand the concepts and parties involved in the data protection regime. The data protection regime involves a number of key parties, namely
ā¢ Individuals: Referred to as ādata subjects.ā It is their personal information and personal data that are being protected
ā¢ Organizations: Referred to as ācontrollers,ā those who wish to collect, use, and process individualsā personal data
ā¢ Outsourced Organization: Referred to as āprocessors.ā The main controller organization has outsourced or delegated some of its processing activities to a third-party organization; for example, payroll processing regarding employees, or marketing or market research regarding current or prospective customers
In addition, organizations need to consider the following in relation to data protection compliance and data protection issues that arise, namely
ā¢ Data protection officer: The individual office holder in the organization tasked with ensuring data protection compliance, education, and so on. He or she is frequently the general point of contact within the organization for queries regarding personal data.
ā¢ Board member: Organizations should ensure that data protection compliance is prioritized at organizational board level. The DPO should regularly report to this board member.
ā¢ IT manager: Given the importance of security for personal data enshrined in the data protection regime, the information technology (IT) manager needs to be appraised and involved in assisting compliance.
Appreciation of and compliance with the data protection regime in relation to personal data is important. First, everyone has personal data relating to them. Second, every organization and entity collects and processes personal data of individuals. Sometimes, this is on a small scale. Sometimes, it is on a massive scale. Data protection compliance obligations apply to all organizations, whether small or large, commercial enterprises, official government organizations, or even charities. Obligations also apply to the primary organization involved (the ācontrollerā organization) as well as to outsource entities such as agents, consultants, processors, and so on.
Furthermore, the instances where personal data are used are ever increasing. For example, every reservation, booking, transaction, and journey involves personal data. Every organization that one deals with, whether governmental, enterprise, or nonprofit, uses or creates data in relation to the person. The volume of such personal data collection and processing is now even more significant with the advent of digitization, social media, and e-commerce. Many commercial organizations realize the value of personal data. Increasingly, new business models are relying on personal data.
The default position is that organizations must inform individuals that they intend to collect and use their personal data, detail the purposes for which the data will be used, and obtain consent to do so. Frequently, tensions arise when organizations do not do this, or seek to do it in a manner that does not fully or transparently respect the rights of individuals. While compliance is always possible, there are many instances of organizations getting it wrong and facing the consequences of audit, penalty, prosecution, or investigation.
Personal data also need to be considered in terms of inward-facing (e.g., relating to employees) and outward-facing (e.g., relating to customers) personal data. Different mechanisms may apply to how organizations deal with personal data, depending on the type of data involved.
Data protection laws protect the personal information of individuals, that is, the personal data of and in relation to individuals. It is therefore similar, in some respects, to privacy. The data protection regime provides a regulatory protection regime around personal information, privacy, or personal data. Personal data are data or information that relate to or identify, directly or indirectly, an individual. Data protection is, in many respects, wider than privacy and confidentiality. Personal data are defined in the European Union (EU) Data Protection Directive 95/46/EC of 1995 (DPD95), the national data protection laws, and now in the new GDPR.
The data protection legal regime governs if, when, and how organizations may collect and process personal data and, where permitted, for how long.
This applies to all sorts of personal information, from general to highly confidential and sensitive. Examples of the latter include sensitive health data, sexuality data, and details of criminal offenses.
The data protection regime is twofold, in the sense of
ā¢ Providing obligations (that are inward facing and outward facing), which organizations must comply with.
ā¢ Providing individuals (or data subjects, as they are technically known) with various data protection rights that they, representative organizations, and/or the data protection supervisory authorities can invoke or enforce as appropriate. Significantly, the ability to invoke data protection rights on behalf of individuals by privacy groups and collective nongovernmental-type organizations is new (see the new GDPR, replacing the DPD95). The GDPR brings ācomprehensive reformā* to the data protection regime and āwill put an end to the patchwork of data protection rules that currently exists in the EU.āā
Organizations, as part of their compliance obligations, previously had to register or notify the national supervisory authority in relation to their data processing activities (unless exempted). This compliance obligation in the national data protection laws and the DPD95 is changed in the new GDPR. Now, there is generally no need for general registration, unless coming within special categories of data protection risk activities. These activities potentially require a specific amendment to the national data protection laws to reflect the new data protection regime.
Certain sections of industry and specific activities (e.g., data transfers abroad, direct marketing [DM], etc.) have additional data protection compliance rules.
In terms of individuals, they can invoke their rights directly within organizations, with the supervisory authority, and also with the courts in legal proceedings. Now, particular requests may also be made by representative organizations on behalf of groups of individuals. Compensation can also be awarded, and injunction relief can also arise.ā” In addition, criminal offenses can be prosecuted. Data protection compliance is therefore very important. Indeed, penalties are significantly increased under the new data protection regime.
As regards the implementation of compliance frameworks, organizations must have defined structures, policies, and teams in place to ensure that they know what personal data they have and for what purposes; that they are held fairly, lawfully, and in compliance with the data protection regime; and that they are safely secured against damage, loss, and unauthorized access.
The cost of loss, and of security breach, can be financially significant, both brand-wise and publicity-wise. A 2015 IBM study estimated the cost of data breach to average $3.8 million per data breach incident. A data breach at the telecommunications company TalkTalk (in 2015) was estimated to cost Ā£35 million. One Target (a US retail chain) data breach was estimated to cost $162 million, plus a 5.3% drop in sales. Breaches can also give rise to criminal offenses, which can be prosecuted. In addition, personal liability can be attached to organizational personnel, both separate and in addition to the organization itself.
Why do we have a data protection regime? We have a data protec...
Table of contents
- Cover
- Half Title
- Title Page
- Copyright Page
- Table of Contents
- Guiding Points for Data Protection Officers
- Abbreviations
- SECTION 1 A NEW PROFESSION
- SECTION 2 THE REGULATION
- SECTION 3 ROLE
- SECTION 4 TASKS
- SECTION 5 TOOLS OF THE DATA PROTECTION OFFICER
- Appendix
- Index