Blog » HEADS UP! DATA PROTECTION OFFICER ON BOARD!
HEADS UP! DATA PROTECTION OFFICER ON BOARD!
15 January 2018
My Colleague Anita is dealing with data protection issues for a longer period of time and in December 2017 she has became a data protection officer. Now I am asking Anita about her experiences she has acquired during the course.
Viki: Why have you decided to take the DPO course?
Anita: Soon after the adoption of the General Data Protection Regulation (GDPR) we have started to deal with this topic in the office. We have figured out the GDPR will have an impact on basically all on our corporate clients as if one has employees, it is 100 % that personal data will be processed.
Although we have already gained significant knowledge, our managing partner, Richard encouraged me to deepen it and acquire practical experiences. That is why I have decided to make the GDPR manager – Data Protection Officer course.
Viki: What is the difference between a data protection officer and a lawyer who is specialized on data protection law?
Anita: A data protection officer does not only need legal knowledge but also has to be able to understand all business processes at the company which require the processing of personal data, including information security matters.
As an example, as an attorney who deals with data protection issues I know about what the company needs to inform its employees or clients if he processes their personal data. As a DPO I have to understand and identify the “route” of the collected personal data throughout the company (whether data is transmitted, how long and where is it stored) and what are the security risks on that “route”.
Viki: Have you acquired rather theoretical or practical knowledge on the course?
Anita: Obviously, we had to know the theoretical basics, so we have thoroughly reviewed the GDPR. In fact, as a good advice we were told that if we would like to be DPOs, we should read the GDPR at least 20 times.
However, in the significant part of the course we have learned how to apply the GDPR based on practical examples. For instance, we identified who is who in a data processing activity with multiple actors (eg. if the customer orders a product from our company and it will be delivered by a haulier), how the current data processing activities need to be reviewed and how to make them GDPR-compatible or how the records of data processing activities shall be maintained.
Viki: Which client needs to have a DPO?
Anita: Organizations whose main activity is the regular and systematic monitoring of data subjects (like a security company who operates camera surveillance system) will definitely need to appoint a DPO. Similarly, those companies who are processing sensitive data (eg. health data) on a large scale, like health service providers shall have one.
Of course, based on his own consideration, a company can decide to appoint a DPO to ensure the highest possible level of data protection even if he is not obliged to do so.
During the GDPR-compliance project we are happy to help clients to think over whether is it necessary or worth to appoint a data protection officer.
Anita, thank you for answering my questions.
WHY SHOULD YOU INVOLVE A LAWYER IN YOUR GDPR PROJECT?
In the last months preceding the entering into force of GDPR, the market was inundated with various service providers promising data protection compliance: data protection experts, counsels, IT experts, etc. Besides these providers, lawyers and law firms, experienced in the field of data protection also provide GDPR compliance services. We summarize the reason why you should involve them in your GDPR compliance project.Read more »
I GET “ONLY” STATISTICAL DATA FROM FACEBOOK – AM I DATA CONTROLLER UNDER GDPR?
Besides having a website, vast majority of businesses have company pages on the social networks like Facebook, Linkedin, etc. Do you become a data controller, being primarily responsible for data processing, if you get “only” statistical information of your visitors? The Court of Justice of the European Union addressed this question in its recent ruling.Read more »
HOW NOT TO DO DIRECT MARKETING? LEARN FROM THE MISTAKES OF TELEKOM!
In the recent past the Hungarian Data Protection Authority imposed a fine of 2 Million Hungarian Forints against Telekom, a major Hungarian telecommunication company, because of his unlawful direct marketing activity. Although the decision has been made before the entering into force of the GDPR, it is worth to examine the mistakes of Telekom. Indeed, the fine would have been much higher if it was imposed after the GDPR.Read more »