As businesses are being impacted by the European Union’s (EU) enactment of the General Data Protection Regulation (GDPR), many are asking themselves questions around the ownership of their privacy program. Do I need a Data Protection Officer (DPO)? Can I get by assigning this to my CISO, Director of Compliance, or my General Council?

The GDPR requirements for a DPO, their duties and reporting structure, are spelled out in Section 4 of the regulation, which encompasses Articles 37-39.

According to Article 37, you must assign a DPO if:

• You are a public authority processor
• You regularly and systematically monitor data subjects on a large scale
• You are processing on a large scale any special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10

This article goes on to state that public authorities are able to designate a single resource that can aggregate the responsibility across multiple organizations. This decision needs to take into account the bandwidth of the DPO and how scalable the policies and processes are across the organizations.

It is also important to note that the DPO can be an employee of the organization or a contracted resource. In either case, the controller must publish the contact details of the DPO and ensure the EU supervisory authorities have this information.

While there are parts of the GDPR that are considered unclear or grey, the requirements for a DPO are very clear. The DPO role is new for many U.S. based companies, but it should bring a strong sense of certainty around privacy to any company where EU citizen/resident data needs to be managed.

If you have questions about whether or not you need a DPO, please contact us at: https://www.americancsm.com/services/privacy-by-design/

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

 

 

Do you understand how to measure your security and compliance program? – if not, check out this webinar with our own Janelle Hsia, Director of Privacy and Compliance.  Learn how good metrics can build the story you bring to management to help ensure your data stays protected and secure.

Click here for the Webinar hosted on Surveygizmo.

As the deadline for GDPR, May 25, 2018, nears, many companies are still struggling with their implementation and some are complete. This MeetUp brings together privacy practitioners, GRC leads, and others interested in and leading their GDPR transformations. The goal of this group is to discuss and share learnings, emerging best practices, technical solutions, and keep up to date on regulation changes.

You are welcome to join this group via MeetUp.com at https://www.meetup.com/meetup-group-coxjsIUF/ . Our next meeting will be focused on an overview of GDPR, allowing the group to determine future topics and the level of detail desired. Carlin Dornbusch from American Cyber Security Management will present the GDPR Overview and lead the group through Q&A.

This informative meeting will be held on Tuesday, February 27th, 2018, at the Trimble office in Westminster: 10368 Westmoor Dr, Westminster, CO 80021.

Details on GDPR specifics can be found on the EU’s official website: http://www.eugdpr.org/

#AmericanCSM   #privacy   #GDPR   #gap analysis #competitive advantage

GDPR is about responsible data practices not just ensuring you can check the right boxes. With about four months before the May deadline, a lot of companies are seriously behind with their GDPR implementation. So instead of worrying about it, what steps can you take today that will move your company forward?

It really is very simple, you must start to develop a culture that is concerned about how you treat other people’s data. Just do the right thing. It starts with a commitment from the executive team. They must be transparent and accountable for their actions.   Doing the right thing with other people’s data might also be part of purchasing criteria for consumers – hopefully, it will become the social norm. It can become a competitive advantage as you build trust with your clients, vendors, and suppliers.

To do this, one thing you can do is tell your story. You need to be able to articulate what your company is doing to change how it deals with other people’s data. Here are some good examples of how some companies are making changes:

• We used to collect erroneous data and now we only collect fifteen (15) pieces of data to help us make a hiring decision.
•  We never used to delete client data and now after a contract ends, we properly notify the client and delete the data 90 days after final payment.
• We did a full audit of our data and were able to consolidate all personally identifiable and sensitive data into just two systems. We are working towards an integration that will give individuals seamless, simultaneous access to both systems but right now it is a manual process to look that data up in both systems.
• We are taking consent very seriously. We updated our privacy policy, cookie policy, and ensure that all correspondence is utilizing double-opt-in. There is a higher return on our marketing dollars because we know that each person who receives our information WANTS it.
• We do regular security training with our employees. This ensures that they can protect the data that we collect.

This is huge progress. So, what is your story? Where is your company on the journey to responsible data management? Here are some suggestions that you can do right now:

• Understand your data. Know its purpose to your business, know where it is coming from, where it is going, and all the stops it makes along the way.
• Perform a gap analysis. You can’t fix something you don’t understand.
• Prioritize and create a plan for how you will implement a comprehensive privacy program and make it realistic.

It might seem overwhelming but don’t make bad short-term decisions. Remember May isn’t the destination, it is just another date on the calendar. What really matters is the change in attitude over how other people’s data is handled and understanding that you have a responsibility to ensure its safekeeping.

Need help realizing the benefits of a GDPR gap analysis or creating an action-oriented plan, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by
seasoned experts.

As the deadline for GDPR, May 25, 2018, nears, many companies are still struggling with their implementation and some are complete. American Cyber Security Management would like to bring together privacy practitioners, GRC leads, and others interested in and leading their GDPR transformations. The goal of this group is to discuss and share learnings, emerging best practices, technical solutions, and keep up to date on regulation changes.

You are welcome to join this group via MeetUp.com at https://www.meetup.com/meetup-group-coxjsIUF/ . Our first meeting will be a collaboration of the attendees to define our future meetups and put a framework for the meetings in place that will be designed to aid in information sharing.

Our first meeting will be held on Wednesday, January 17th, 2018, at the Trimble office in Westminster: 10368 Westmoor Dr, Westminster, CO 80021.

Details on GDPR specifics can be found on the EU’s official website: http://www.eugdpr.org/

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts.