InfoGuard Cyber Security and Cyber Defence Blog

Data Protection Officer – the specialist in data protection and GDPR

Geschrieben von Daniel Däppen | 19 Mai 2017

The new European law on data protection, known as the GDPR (General Data Protection Regulation), will enter into force in May 2018. Only a few weeks have gone by since the achievement of the draught proposal of the reviewed Swiss Data Protection Law (CH-DSG); the feedbacks are rather critical. This means that changes to the draught are likely, and that discussions in both Federal Councils shall follow. It is high time that you too start giving thought to this issue. Read this post and see why you need a Data Protection Officer (DPO).

We already discussed, in a previous blog post, the impact of the introduction of the new GDPR on enterprises. Among its provisions, the act requires the appointment of an operational DPO; however, in the draught of the reviewed CH-DSG this provision has disappeared, which has led to criticisms from several sources, including the official reply to the proposal by the ISSS (Information Security Society Switzerland), and the editorial written by the legal expert David Rosenthal in the NZZ.

The DPO as Single Point of Contact – but not as One-Man Show

A DPO acts as a “Single Point of Contact” for all issues and requests in the field of the protection of personal data, including the following:

  • Requests from authorities, clients or providers
  • Communications to media and other stakeholders
  • Development and management of the data privacy programme
  • Definition of processes for the protection of personal data
  • Incident management (Data Breaches, Data Leaks, Security Incidents)
  • Internal consulting for projects, coworkers, management and board

And this is just a small excerpt from the diverse fascinating activities of a DPO. Please look up our infographic and learn more about the duties of a DPO.


You can download the detailed infographic from here!

 

Appoint a DPO Now: Internal or External?

It is foreseen that in the near future the requirements of personal data protection will grow in importance. So much can be inferred by the new European legislation on personal data protection, the upcoming Swiss law, the ever-growing trend in the use of cloud computing, and the global political developments.

Each organisation working with personal data is touched by these legal requirements; therefore, they must take appropriate steps to incorporate them into their own corporate processes. The skills required of a DPO can often be found within the current staff in larger corporations and groups; the same however does not apply to most SMEs. We know by experience that the quality of a DPO's job will never be up to scratch, when it is done as a minor, secondary job. And pretending to ignore the strict requirements (including the related risks of sanctions in case of non-compliance) is not an option for any enterprise.

The solution of the problem is an external DPO: either a full-time or a part-time one. Depending on the needs of the organisation, the issue of personal data protection will be professionally taken up by a competent, experienced specialist. The commitment of the DPO during the first few months, at the time of the definition and implementation of a privacy programme, is full-time; thereafter, often a part-time commission is enough. The job requires legal and regulatory knowledge, together with technical skills, understanding of current ICT technologies and security controls, and of course an up-to-date knowledge of cyber risks. Moreover, since co-workers, clients, authorities and the organisation's management in the first place must be kept regularly updated on privacy issues, the professional's profile will be eked out by marked communication skills.

All these interdisciplinary competences are seldom found all together in one single person; and when they are actually found, the person is certainly not cheap – and this is a further reason for keeping costs under control: that is, entrusting the task of a DPO to an external resource, on a time- or project-basis.

Your DPO from the Leading Swiss Cyber Security Experts

For this purpose, InfoGuard offers on one side the complete “DPO-as-a-Service”, including legal consulting by our selected partners, and on the other individual services such as a Privacy Impact Assessment, or a check-up of organisational and technical security controls. Together with our partner MME, a Swiss consulting firm specialised in IT Law and Privacy compliance, we support our clients in achieving the internationally acknowledged “ePrivacyseal”. A team of experts in cyber security and privacy, from InfoGuard, and of legal experts from the law firm MME, will lead your organisation along the path to certification. Not long ago, we supported the first Swiss company in achieving the seal; more information is available in our press release.