The General Data Protection Regulations, which comes into force shortly, requires the need for a data processing officer
As we all know by now, the General Data Protection Regulations, the process by which the European Parliament intends to strengthen and unify data protection for all individuals within the European Union (EU), as well as addressing the export of personal data outside of the EU, comes into force on May 25th of this year.
One of the many requirements of the legislation is the need for a Data Processing Officer (DPO). This person assumes the role of data protection expert and deals with any data protection queries. It is a high-level position requiring grounding in both national and European data protection law and practice, as well as a thorough understanding of the GDPR.
Although there are three key areas where a DPO is definitely required, current thinking is that SME’s are not exempt and you are advised to assume you do require a DPO unless you can prove otherwise. The three main areas are:
So, is it possible, or worthwhile, for a smart city to share such a position?
The answer is yes. The need for the role of the ‘virtual DPO’ will increase, as many organisations will find that although they are required to have an audit carried out by a DPO, in reality, they will be unable to justify the expense of a dedicated person. So, having access to a local and shared DPO will be a luxury, especially if that DPO is known by others you associate with. Providing such a resource would be cost-effective for a facilities company too, as that individual could handle any in-house DPO functions as well as being ‘billed out’ as an additional revenue stream and benefit within the ‘smart environment’.
A virtual DPO affords more transparency for an organisation in that the DPO can be clearly neutral, objective and independent. They cannot be on the Board or a key IT member. They need to have a wide range of business knowledge and understanding of how the regulation could be best adopted. Often, this experience will come from working with many different organisations.
And, the ‘virtual DPO’ need not be a single person, it could be a team which gives the smart city resilience by being able to react quickly to either illness or work pressure, something not available should you employ a dedicated person. Furthermore, being part of a larger network means that your business is at the forefront of any changes that take place within the regulatory/legal sphere. Be it the updates to GDPR, the new e-privacy regulation or the sharing of data post Brexit. You do not need to rely on one person to keep track of all the changes, the changes come to you. Instead of looking at one piece of legislation, you can ensure you incorporate more, so you do not have to start the work all over again further down the line.
A final advantage of a ‘virtual DPO’ is that, should the worse happen and you have to declare a breach with the ICO, the ‘virtual DPO’ would have had previous experience and will have the knowledge of how to navigate the process. This is a huge advantage to an organisation when in a crisis position and you are trying to recover data. Having someone skilled and ‘on your side’, will be very welcome indeed!
Colin Tankard is managing director at data security company Digital Pathways, a specialist in the design, implementation and management of systems that ensure the security of all data whether at rest within the network, mobile device, in-storage or data-in-transit across public or private networks.
If you enjoyed this, you may wish to view the following:
2017 was another year of major data loss and hacks but will the warnings be heeded?
Governments and developers of IoT sensors urged to find ways to minimise collection of personal data