Everything you Need to Know about The Data Protection Officer Role

1. The Data Protection Officer (DPO): Everything You Need to Know Debra J. Farber, JD, CISSP-ISSMP, CIPP/US/E/IT/G, CIPM, FIP U.S. Chief Privacy Officer, CRANIUM

2. Who am I? • Consultant and non-practicing lawyer; • 14 years experience operationalizing privacy and security; • Executive Consultant & CPO at CRANIUM; • Advisor to BigID; • IEEE Personal Data Privacy Working Group; • IAPP CIPT Exam Development Advisory Board; • Sr. Director, Global Public Policy (Security & Privacy) at Visa; - Member of the Advancing Cyber Resilience Working Group at The World Economic Forum (WEF); • Co-Founder of Women in Security & Privacy (WISP); • Sr. Privacy Consultant & Product Manager at TrustArc; • CEO & Principal at Farber Strategies Inc.; - Executive Faculty at IANS; - Professional Privacy Faculty Member at the IAPP; • Director Product & Platform Privacy at Numera; • Chief Privacy Officer at The Advisory Board Company; • Managing Consultant (Privacy & Security) at IBM Global Services; • Sr. Manager, Privacy & Policy at Revolution Health; • Manager, Online Privacy at American Express @privacyguru

3. Agenda • The EU’s GDPR in 60 seconds • When does an organization need to hire, appoint, or contract with a DPO? • To whom should the DPO report to remain “independent” & avoid a conflict of interest? • Who can serve in the DPO role? • What are the DPO’s responsibilities? • Alphabet Soup: CPO vs. DPO vs. CISO • The war for talent & how companies are staffing the DPO role • Questions? 3

4. The EU’s GDPR in 60 seconds

5. When does an organization need to hire, appoint, or contract with a DPO?

6. The GDPR states that appointing a DPO is mandatory to facilitate compliance with the GDPR in the following 3 specific cases: • You are a Public Authority or Body, or acting as one; • Your core activity consists of processing personal data “on a large scale,” which requires “regular & systematic monitoring;” or • Your core activity consists of processing “on “a large scale special categories of data.” You may still choose to appoint a DPO even when the GDPR does not require it.

7. 9 What Percentage of Your Software Vulnerabilities have GDPR Implications? DOWNLOAD THE FREE E-BOOK We talked with LocalTapiola, a Finnish financial services company, about their efforts to prepare for GDPR and did our own analysis showed that 25% of bugs on HackerOne have GDPR implications GDPR Article 33 states that data breaches must be disclosed to the organization’s supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” It’s not uncommon these days for organizations to require weeks or months to remedy a vulnerability. Our advice regarding GDPR has always been to find and fix vulnerabilities before they can be exploited. There’s no disclosure requirement for bugs, only for breaches, and running a bug bounty program is a great way to identify vulnerabilities before the bad guys do.

8. To whom should the DPO report to remain “independent” & avoid a conflict of interest?

9. The DPO must be “independent”? A DPO cannot hold a position within the organization that leads them to determine the “purposes and the means of the processing” of personal data or that otherwise creates a conflict. Data controllers or processors should: • Identify positions which would be incompatible with the DPO function; • Draw up internal rules to avoid “conflicts of interests;” • Formally declare via internal & external comms & in policy documentation that the DPO has no conflict of interests with regard to function as a DPO, as a way of raising awareness of this requirement; • Include safeguards within the organization’s internal rules and ensure that the publicly-posted DPO job description or the services contract for an External DPO is sufficiently precise and detailed in order to avoid a conflict of interests. More likely an independent reporting line: More likely a conflict of interest reporting line: - Chief Compliance Officer; - Chief Privacy Officer; - Audit team; - Chief Information Security Officer; - Report directly to the CEO, COO, Board, etc.; - Chief Information Officer; - External contractor (i.e., outside consultant or counsel) - Business Line reporting: i.e., Marketing, HR, Product, etc.; reporting to a C-level officer or the Board; - Reporting up to other business executives who determines the - Other reporting line without conflicts purpose & means of processing

10. Obligations to support your independent DPO Your org is ultimately responsible for GDPR compliance & must be able to demonstrate that compliance, not the DPO. The Article 29 Working Party called out the following activities as necessary for an org to properly support its DPO: • Active support of the DPO by senior management – i.e., Board-level, C-level; • Sufficient time to fulfill their duties; • Financial, infrastructure and staff resources; • Official communication of the DPO appointment to all employees; • Access to stakeholders such as HR, Legal, IT, Security etc.; • Continuous training; and • A DPO team depending on the size and structure of the organization; The DPO’s employer may NOT: • Instruct the DPO on how to deal with a matter, what result should be achieved, how to investigate a complaint, or whether to consult the Supervisory Authority (“SA”); or • Instruct the DPO to take a certain view of an issue related to data protection law or follow a particular legal interpretation.

11. Who can serve in the DPO role?

12. The GDPR does not specify the precise credentials a DPO is expected to have. However, the WP29 defines certain minimum requirements regarding the DPO’s expertise & skills: • Level of Expertise: It is essential that the DPO understand how to build, implement, & manage data protection programs. The more complex or high-risk the data processing activities are, the greater the expertise the DPO will need. • Professional Qualities: DPOs need not be lawyers, but they must have expertise in member state and European data protection law, including an in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of the organization's technical and organizational structure and be familiar with information technologies and data security. • In the case of a public authority or body, the DPO should have sound knowledge of its administrative rules & procedures.

13. What are the DPO’s responsibilities?

14. •Collect information to identify and analyze processing activities; •Analyze and check the compliance of processing activities •Conduct audits to ensure GDPR compliance & address potential issues Monitor Compliance •Inform, advise, & issue recommendation on data handling to the controller or processor – e.g., based on DPIAs •Educate company / employees on GDPR obligations & other data protection requirements; and train data handling staff Inform & Advise •Cooperate with the Supervisory Authorities (“SA”) & make the organization’s records available on request •Proactively report issues with data processing, such as data breaches Coordinate with the SA •Serve as single point of contact for data subjects inquiries •Provide information on data subjects’ rights related to the org’s data protection practices, withdrawal of consent, the right to be forgotten, & other rights Serve as Privacy Contact According to the GDPR, the DPO must perform the following tasks:

15. •Effectively communicate to personnel, the appointment of the DPO and his or her functions; •Ensure the DPO has significant independence in the performance of his or her role; •Ensure a direct reporting line “to the highest management level” of the company; •Involve the DPO at earliest stage possible in all issues relating to privacy & data protection; •Invite the DPO to participate in senior management meetings to represent privacy & data protection interests. Effective Governance •Provide sufficient time & resources (financial, infrastructure, equipment, training, & staff) necessary for the DPO to keep up-to-date with data privacy & security developments and to carry out tasks effectively & efficiently. Resources & Training •Provide appropriate access to personal data that the organization processes, including access to the systems; •Promptly consult the DPO in the event of a personal data breach or security incident; •The DPO’s opinion must be given due weight. Should the business choose not to follow the advice of the DPO, the business should document the reasons for such decision. Appropriate Access •DPOs may perform other tasks and duties provided they do not create conflicts of interest (e.g., training the Board, executives, & employees); •Job security: the GDPR expressly prevents dismissal or penalty of the data protection officer for performance of her tasks and places no limitation on the length of this tenure. Other Functions Orgs have GDPR obligations to support the DPO:

16. DPO Job Description (example) Expertise and Professional Qualities • Expertise in national & European data protection laws and practices and an in-depth understanding of the GDPR; • Years of experience in data protection program management commensurate with the sensitivity, complexity, & amount of data the employer processes; • Integrity & high professional ethics; • Can handle info & business affairs w/ secrecy & confidentially as appropriate; • Demonstrated leadership & project management experience; • Ability to communicate effectively with the highest levels of management & decision-making within the organization; • Familiarity with privacy and security risk assessment and best practices, privacy certifications/seals, and information security standards certifications; • Sound understanding of and familiarity with information technology programming & infrastructure, and information security practices and audits; • Ability to communicate effectively with data subjects, data protection authorities, & other controllers and processors across national boundaries and cultures; • Adequate self-awareness & confidence to acknowledge knowledge gaps and seek to fill them from reliable sources; • Knowledge of the business sector & of the employer’s organization; • Sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the employer; • In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organization. DPO Tasks • Inform, advise, & issue recommendations regarding GDPR compliance; • Foster a culture of data protection within the org & help to implement essential elements of the GDPR, such as the principles of data processing, data subjects’ rights, data protection by design & by default, records of processing activities, security of processing, & notification and communication of data breaches • Advise the controller/processor regarding: • Whether or not to carry out a data protection impact assessment (“DPIA”), • What methodology to follow when carrying out a DPIA, • Whether to carry out the DPIA in-house or outsource it, • What safeguards (including technical and organizational measures) to apply to mitigate any risks to the rights and interests of the data subjects, • Whether or not the DPIA has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with the GDPR; • Maintain the record of processing operations under the responsibility of the controller as one of the tools enabling compliance monitoring, informing and advising the controller or the processor; • Document all decisions taken consistent with and contrary to DPO’s advice; • Offer consultation once a data breach or other incident has occurred. • Ability to fulfill tasks • Adequate and regular ongoing training; • Self-starter and ability to act independently

17. Alphabet Soup: CPO vs. DPO vs. CISO

18. Responsible for setting and implementing global data handling policies & rules, and advising the business on the ways and means of processing Responsible for putting in place data protection by design and default; complete DPIAs where processing of personal data poses a “high-risk” Responsible for GDPR documentation: e.g. records of processing; subject access requests; Responsible for implementing processes into the business that respect the rights of the data subject (e.g., rights to access, rectification, portability, erasure, etc.) Responsible for securing global corporate infrastructure, applications, IP, & personal data Support CPO by answering security questions Responsible for implementation of appropriate technical & organizational measures to ensure a level of security appropriate to risk Responsible for ensuring the security of the systems and transactions with respect to the rights of data subjects Responsible for oversight of EU privacy, data protection, & security compliance Advise CPO on when a DPIA is necessary & the risk-based methodology to use; review risks identified by DPIA for GDPR compliance Advise the CPO & CISO on meeting GDPR documentation requirements, mitigating security controls, whether controls have been accurately carried out Advise the organization on whether it is appropriately respecting the rights of data subjects * The DPO may benefit from support from a Data Protection Office. * The DPO may be physically located in another jurisdiction.

19. The war for talent & how companies are staffing the DPO role

20. Contact Info: Debra J. Farber debra.farber@craniumusa.com @privacyguru @CraniumUSA https://www.linkedin.com/in/privacyguru

21. HackerOne Response: The VDP SaaS Platform Benefits of a VDP Platform Better signal:noise ratio Decorate reports with industry standards (cvss, cwe, affected asset) Better data security via encryption Streamlined workflow and comms process Easier and more informative reporting DOWNLOAD THE FREE E-BOOK Email is not a very good mechanism for tracking multiple cases at once. Vendors...should consider setting up a web-based case tracking system instead. CERT CVD Guide, page 58 Section 7.1.1.1 and 7.1.4 GDPR requires companies to maintain “...a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing,” which is exactly where bug bounties fit in. Our specialized product for PSIRT teams, HackerOne Response, has helped orgs like GM, DoD, and Adobe achieve their goals

Jul	AUG	Mar
	31
2017	2018	2020