DPO as a Service, fully outsourced, or on-call to support your own resources.
DPO as a Service, fully outsourced, or on-call to support your own resources.
All organisations are now required to fulfil a wide set of obligations in this area, from setting and applying policies, to monitoring compliance and breach reporting, training and auditing.
You may be obliged under the Data Protection Act to appoint a Data Protection Officer, or DPO. Indeed, all organisations must ensure that they have sufficient staff, skills and appropriate reporting structures in place to meet their obligations under the GDPR.
It’s essential that a DPO has a level of independence and authority with regard to the organisation. It’s also very important to establish that a DPO has the appropriate skill levels, training and ability to access the information they require.
Oyster IMS offers a range of services to support internal data protection and privacy initiatives, from arms-length support to a full outsourced Data Protection Officer managed service.
To see how this service can support your organisation’s privacy responsibilities, download your DPO as a managed service brochure.
What is a ROPA?
ROPA stands for Record of Processing Activities.
Article 30 of the GDPR requires you to maintain a record of processing activities.
You will be required to produce this, if requested by the supervisory authority, e.g. the Information Commissioner’s Office (ICO) in the UK; the Data Protection Commission (DPC) in Ireland.
The ROPA must include a comprehensive overview of processing activities you undertake. The ROPA lists every single processing activity, describing the exact usage of the data, the technical and organisational measures that have been put in place for the protection of the data. It shows who is affected by data processing, the recipient of data processed and any other data processors. The ROPA should also include a risk analysis.
A ROPA demonstrates your organisation’s GDPR compliance and so it is essential that it is well-managed and organised.
What is a Data Subject Access Request, or DSAR?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
Individuals may exercise the right by making a written ‘Data Subject Access Request’, or DSAR.
How can a DSAR be made?
An individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.
A request does not have to include the phrase ‘subject access request’ or mention Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.
Additionally, it is important to write and implement a policy for recording details of the requests you receive, particularly those made by telephone or in person.
Do we have to reply to a DSAR?
In almost all cases the answer is “yes”.
If a request is within the scope of the Data Protection Act (there are a few exemptions), you are required to comply and must provide the information requested.
You can also refuse to comply with a subject access request if it is:
In order to decide if a request is manifestly unfounded or excessive you must consider each request on a case-by-case basis. You should not have a blanket policy.
You must be able to demonstrate to the individual why you consider the request to be manifestly unfounded or excessive and, if asked, explain your reasons to the Information Commissioner.
How long do we have to respond to a DSAR?
You must comply with a request without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receiving any information requested to confirm the requester’s identity.
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
What steps should we take before we respond to a DSAR?
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.
You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.
If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month.
Who can make a DSAR?
The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement.
What should we provide when we respond to a DSAR?
An individual is entitled only to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is essential that you establish whether the information requested falls within the definition of personal data.
In addition to a copy of their personal data, you must also provide individuals with the following information:
Who should manage the response to a DSAR?
Responsibility for complying with a subject access request lies with your organisation, as the data controller.
Your DPO will generally be responsible for fulfilling a DSAR, if you haven’t appointed a DPO, the responsibility should be given to someone with up-to-date data protection knowledge and training in GDPR compliance.
If you don’t have the internal expertise, qualifications and practical experience in this area of data protection you could be well advised to get some professional support.
If you use a processor, you need to ensure that you have contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to you or to the processor. You may not extend the one month time limit on the basis that you have to rely on a processor to provide the information that you need to respond.
What happens if we fail to respond to a DSAR?
To fail to respond to a DSAR is to break the law.
Under the Data Protection Act 2018, fines of up to €20 million, or 4% of a business’ annual global turnover in the preceding financial year, whichever is higher, could be imposed by the ICO for non-compliance with data subject access requests.
So far, the practice employed by the ICO is to issue an enforcement notice, before taking legal and punitive actions.
What is a Personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. A breach occurs if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach.
What is a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
You must do a DPIA for processing that is likely to result in a high risk to individuals.
It is also good practice to do a DPIA for any major project which requires the processing of personal data.
Your DPIA must:
What is a DPO?
DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
What professional skills should the DPO have?
What does a Data Protection Officer do and who can be a DPO?
Organisations must appoint a DPO if they are a public body, or process sensitive data on a large scale or complete regular and systematic monitoring of data subjects. Deciding what is meant by large scale is open to interpretation but organisations would be advised to err on the side of caution. Earlier thoughts during the development of the GDPR about the need for a DPO indicated larger organisations would need one. If you meet that threshold and decide not to have a DPO, you will need compelling reasons.
Larger organisations – those with over 250 staff – have additional responsibilities including the requirement to document all processes involving the handling of personal data.
A DPO doesn’t need to be a specified member of staff, as a third party can be used. In Germany, this practice has been in use for some time, with specialist agencies offering DPO services.
It’s essential that the DPO has a level of independence and authority with regard to the organisation.
It’s also very important to establish that a DPO has the appropriate skill levels, training and ability to access the information they require.
It is therefore critical that the DPO has the ability to both understand the law and how it should be applied within the organisation, This expertise must be applied to an understanding of the ways that the organisation acquires and processes information, as well as the security and protection measures employed.
It’s quite likely that many individuals who currently have the role of data protection representative, may not be suited to the new DPO role.
Will you need a DPO?
Can we contract out the role of the DPO?
You can contract out the role of DPO externally, based on a service contract with an individual or an organisation. It’s important to be aware that an externally-appointed DPO should have the same position, tasks and duties as an internally-appointed one.
More information on our DPO Managed Service
© Copyright 2020 Oyster IMS | Web design by Union 10 Design
We do not believe that this outbreak will have a direct impact on most of our services.
We are continuing to monitor the situation, liaising with partners and suppliers critical to the operation of our services, and all those who are dependent on our business.