DPO

A Data Protecion Officer (DPO), supervises compliance with the Personal Data Protection Act.

Data Protection Officer required in many cases

Currently, companies and organizations are free to decide whether to appoint a Data Protection Officer (DPO), but it will not be long. By May 25, 2018, when the European Privacy Regulation is in force, companies and organizations MUST appoint a DPO in a number of situations.

A Data Protection Officer, supervises compliance with the Personal Data Protection Act.

The legal duties and powers of the DPO give him or her an independent position in the organization. It is possible to appoint an external employee as DPO. In fact, it is advantageous to hire an external DPO, but we will come back to that later.

The new European Privacy Regulation (the General Data Protection Regulation) makes a DPO mandatory at:

  • Organizations that, due to their nature or size, process personal data on a large scale
  • Public administrations, excluding courts
Other mandatory situations can be added per country. The initial requirement that a DPO is mandatory for companies with more than 250 employees has been dropped.

ICT2MKB has the best Certified Privacy Experts for you

ICT2MKB is an expert in the field of current and future privacy legislation. We are aware of the latest developments and have years of experience in drawing up and implementing privacy policies, security guidelines, processor agreements, Privacy Impact Assessments (PIAs), Privacy Enhanced Technologies (PET), privacy by design and privacy by default.

The DPOs of ICT2MKB are highly qualified consultants with extensive experience in the (EU) Privacy and IT Security domain and expertise in the field of data protection. The DPOs can work for you in-house or externally, part-time or full-time. If you have a DPO yourself, ICT2MKB can support it and provide specialist and high-quality privacy advice. Finally, ICT2MKB provides turnkey solutions for Privacy Compliance.

Are you looking for a Privacy Expert, a DPO or an IT Security consultant with knowledge in the field of the Personal Data Protection Act? ICT2MKB has those people for you and can take a lot of work and worries off your hands.

Art. 39 of the privacy legislation states what is expected of a DPO and what knowledge he / she must have. In time, official certification will be provided. ICT2MKB meets all criteria.

A certification is important when training an employee as a DPO or when hiring an external DPO. There is one institute for privacy certification known worldwide: the IAPP. The IAPP has various certificates, for an FG the CIPP / E and CIPM are the most relevant. Anyone in possession of these certificates must earn a number of points every year to be able to keep the certificate. Their knowledge is therefore always up to date.

What does a DPO do?

The DPO's activities include:

  • monitor compliance with privacy laws and regulations
  • collect inventories of data processing
  • developing internal arrangements
  • keep track of reports of data processing
  • handling questions and complaints from staff, customers, patients
  • informing about privacy (including privacy by design and privacy by default)
  • advise on technology and security

An external DPO offers advantages

The DPO can be an external employee. This even has advantages over an internal DPO:

  • It provides a better guarantee of the independence of the DPO. After all, he / she is not hindered by 'corporate culture', 'politics' or 'long toes' within the organization.
  • An external DPO usually has experience with multiple companies and access to a network of other officers. This can greatly facilitate his work.

A DPO must be able to work independently. He or she reports to the Board of Directors. He / she can consult with the Data Protection Authority. There is no obligation to report irregularities to the DPA.

The Data Protection Authority is given increasing powers and can issue increasingly higher fines. Don't let it get that far! Become a "privacy compliant" and appoint an DPO.

ICT2MKB ensures that you avoid privacy risks

What can ICT2MKB do for you to avoid privacy risks?

We can:

  • Support your company in conducting a PIA or performing it for you. With this you offer your organization an instrument to visualize privacy risks at an early stage in a structured and clear manner.
  • Support your organization in examining the privacy requirements for your organization.
  • Draw up measures to ensure that you comply with the new EU privacy regulation by implementing the correct form of Privacy Enhanced Technologies (PET) and going through the steps required to handle the future in the right way. personal data.

Work on your data security policy

Even if you have not yet appointed a DPO, you can already start to protect personal data better. And that goes beyond just encrypting data. Because before you know it, employees move sensitive data to the cloud because they want to work from home.

Always use encryption, even if the law does not prescribe it. Too often, companies see this as complicated. And that with smart use of encryption you have an extra layer of protection against all kinds of cyber crime. ICT2MKB is happy to help you with this.

It's also a good step to use logs smarter; not only as a reference work after a data breach, but also to learn more about user behavior. For example, do you have employees who invariably ignore their software updates? They make it very easy for cyber criminals to access your data.

The biggest misconceptions about the European privacy regulation

Not everyone seems to realize that the new European rules for processing personal data also apply to his / her company. That is why it is high time to get rid of the main misconceptions about privacy legislation and to explain the situation. Before you know it, it is May 25, 2018.

1. FALSE: The European privacy regulation and the appointment of a DPO is only important for large companies
Every organization must comply with privacy legislation. The rules, like our current privacy law - apply to any form of processing of personal data, regardless of the size of the organization. If data is one of the core activities of your company, the appointment of a DPO is mandatory, regardless of the number of employees.
2. FALSE: The European privacy regulation only applies to companies in Europe
Companies based outside the EU, but offering business or services to European citizens while processing their data, must comply with privacy legislation. The same applies to organizations that monitor the surfing behavior of Europeans via cookies.
3. FALSE: The European privacy regulation only applies to online data
Privacy legislation regulates the online and offline world. The new rules apply equally well to a paper archive, direct mail and display advertising.
4. FALSE: The European privacy regulation is only important in the B2C sphere
The privacy legislation applies to both B2B and B2C. After all, B2B data quickly becomes personal data, such as a business email address, direct telephone numbers, job titles or business postal addresses. In that case, the new rules apply.
5. FALSE: The European privacy regulation does not apply to us, because we do not process data automatically
The privacy legislation applies to automated processing (profiling), but also to partly automated processing or other structured collections of personal data.
6. FALSE: If our privacy statement is in order, we comply with the European privacy regulation
Privacy legislation tightens existing standards, but also introduces new obligations. Organizations must draw up a data breach protocol and do a Privacy Impact Assessment (PIA) for certain processes. They must also keep records of which data they process, which processors they scale in and how data is protected. The consumer also has new rights, including the right to transfer his information (data portability).
7. FALSE: If we have permission for the processing, we comply with the European privacy regulation
Consent to the use of data must be the result of an active action and you must provide sufficient information to allow someone to give meaningful consent. You will have to re-examine the way in which consent is obtained. Important information about which someone gives permission should not be hidden in the terms and conditions.
8. FALSE: We have a cookie banner on our website, so we are ready for the European privacy regulation
It is important to realize that privacy legislation regulates the processing of personal data "technology neutral". This means that specific rules for the use of cookies or sending e-mails are not regulated in this privacy legislation. The cookie banner is the result of a European Directive (the E-Privacy Directive) that has been implemented in national legislation (our Cookie privacy legislation). The European Commission has now launched a consultation on the revision of this Directive.

Interested?

Feel free to contact us using the contact form or call: +31 (0) 88 - 428 26 00 for a no-obligation introductory appointment.