We recently presented a webinar featuring Digital Guardian Director of Product Marketing Bill Bradley and Boldon James CEO Martin Sugden called “Solving Your Top 5 GDPR Challenges”. With organizations preparing for regulatory compliance, our audience had some interesting questions for our presenters. You can watch the full webinar on demand here.
Is it coverage of only "EU citizens" or data that originates in the EU regardless of the person's home country?
GDPR covers EU residents, not just citizens. The multiple sites on GDPR tend to use the terms interchangeably in many cases, though clearly the terms are different. Nowhere in the version of the GDPR regulation we have seen does the term “citizen” appear. The section that most closely defines who is in scope is from the 1st page of the regulation:
“The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.”
How will Brexit affect GDPR compliance in the UK?
While nothing is set in stone as of yet, the likelihood is that the UK will adopt a regulation close, if not identical, to GDPR. From the projected timelines, the UK will still be part of the EU when the GDPR goes into effect, so at minimum the GDPR regulations will be enforced for the short term. A recent statement by Prime Minister Theresa May reinforced the fact that GDPR will be an influence on any UK data protection regulations post-Brexit if they choose to rewrite their regulations.
Most of my clients are based in the U.S. and many only do business with U.S. citizens. How does GDPR affect me?
If you are able to say that your client-base is made up of 100% U.S. citizens, the impact of GDPR is limited, although certainly, some practices in GDPR can be incorporated. From a compliance standpoint, this regulation is squarely focused on EU residents. In the globalization of most businesses, there are many instances where you probably have some EU citizens and/or residents in your database. At that point, the GDPR standards will apply to those people. You may then decide to go through a data minimization exercise because you have a very small percentage of EU people in your database that are not part of your core business, and rather than go through GDPR compliance, push them out of your database.
What documentation is required for GDPR?
There is no specific pack of documentations required for GDPR. You will need to have some things: for example, a record of the approval process you went through to get the information and what it’s allowed to be used for. You will need some sort of record of how you did your design from an obscurity perspective and how you made it core to your processes. You have to have some sort of processes in place that will meet the supervisory authority’s requirements for explaining what a breach is. None of those are mandated. Most of those are things that you will need to work out over time, based on industry standards and industry capabilities. Some companies will do data risk assessments but each is going to work on their own standard rule sets. So, there is a range of things you must have or be able to provide but there isn’t a mandated structure. Each company will have to make those records and documentations fit within their own business and processes.
Is the DPO role better staffed by a technical or non-technical person?
The person needs to understand the technical things put in front of them but they don’t have to be technical person. In fact, he/she should be a broad-based individual because they have to understand the business implications and how to talk to and communicate with external people like supervisory authorities. In larger organizations, we’ve seen that the DPO has a number of people that he/she can draw support from. We’ve also seen customers who have teams of 2 or 3 people with DPO-like responsibilities and form the office of the Data Protection Officer.
How will GDPR impact educational institutions? Will schools require a DPO?
The potential is for a significant impact. GDPR puts data protection mandates with teeth to ensure protection of EU resident data. While there are provisions for using personal data for research, educational institutions must still protect the data.
As for requiring a DPO, the need is more based on the processing activity, rather than the industry per se. If you are processing personal data of EU residents, then the GDPR is likely governing activities. The extent of the data processing drives the need for a DPO. The relevant text in the regulations states:
1.The controller and the processor shall designate a data protection officer in any case where:
- (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
This means that companies may run into a situation where 10 months out of the year they do not require a DPO, but a seasonal surge in business requires them to have a DPO. It is one of the reasons that having a DPO is a business best practice. The DPO need not be a net new hire in the business. An existing employee can fill the role, provided they fulfill the requirements also outlined in the GDPR. Additionally, for businesses that are part of a larger holding company, "a group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment." There is also the option to rely on a 3rd party, as we have even seen listings for DPOaaS (DPO as a Service).