My name is Ian Burnett, CIPM and I am the Data Protection Officer for First Advantage in Europe. In this paper, I am going talk about the Data Protection Officer role, its ongoing responsibilities and what to do as we progress towards the implementation of the General Data Protection Regulation (GDPR). This is the third installment in a series of topics in which we will discuss the potential impact of the GDPR on your EU or global background screening processes. While this discussion is focused on the steps First Advantage has taken to appoint a Data Protection Officer, the content in general is instructive for most businesses that are established in the EU or that conduct business in the EU to some degree.
What role does the Data Protection Officer perform?
A Data Protection Officer (DPO) under GDPR must be designated where the core activities consists of processing operations which require regular and systemic monitoring of data subjects on a large scale or where the processing on a large scale of special categories of data or personal data relating to criminal convictions or offences. 1
As First Advantage handles the processing of criminal conviction personal data, we have designated a Data Protection Officer.
As outlined in Article 39 of the GDPR, the DPO is expected to be responsible for the following:
- Educating employees on important compliance requirements
- Training employees involved in the processing of personal data
- Conducting compliance reviews to address potential issues proactively
- Act as the point of contact between the company and EU Data Privacy Supervising Authorities
- Managing records of data processing activities conducted by the company
- Act as contact point for data subjects to advise them about how their data is being used, their rights and the measures in place to protect their personal data
What should the Data Protection Officer be doing in the lead up to commencement?
For DPOs, the enforcement date of GDPR, 25 May 2018, is the day when the aspects of GDPR evolve from being part of a project to being business as usual. To ensure that the organization is compliant on Day 1, the Data Protection Officer needs to be working with the GDPR project team to ensure that all of the required changes are in place.
The DPO should be asking themselves the following questions:
- Have all required changes to the systems been completed?
- Has technology security been reviewed and, where required, improvements implemented?
- If you are data processor, have your data controllers communicated their requirements to you and have they been implemented?
- Is your privacy and data protection statement up to date?
- Do we have the appropriate consent in place to collect, use and disclose the personal data we collect?
- Have we got policies and procedures in place to cover the rights of individuals?
- Has the privacy and data protection training been updated, distributed to all employees and been completed?
- Is there a compliance framework in place to monitor compliance with GDPR?
A key requirement of the DPO’s role under GDPR is to monitor compliance with the Regulation. This is an important requirement to ensure that the policies and procedures in place on Day 1 continue to operate well throughout the year and ongoing.
A compliance framework involves the effective implementation a number of components. In particular, these include:
- Identification of obligations and related controls to ensure that the organization’s obligations are met and that non-compliance can be prevented
- Continual monitoring of controls to advise on their effectiveness
- When non-compliance occurs, effective action is taken to correct the error and to manage the consequences
- Achieve a continual improvement in the compliance framework.
Next in the GDPR Information Series…“Consent”
About Ian Burnett
Ian Burnett is a Certified Information Privacy Manager. He has over 20 years’ experience in compliance and audit having practiced in a range of financial services businesses in Australia where he was also Privacy Officer and Anti-Money Laundering Compliance Officer. He has also completed his Diploma of Financial Services in Financial Planning and in Foreign Exchange and passed the Certified Information Systems Auditor examination.
About First Advantage
First Advantage provides comprehensive background screening, identity and information solutions that give employers access to actionable information that results in faster, more accurate people decisions. With an advanced global technology platform and superior customer service delivered by experts who understand local markets, First Advantage helps customers around the world build fully scalable, configurable screening programs that meet their unique needs. Headquartered in Atlanta, Georgia, First Advantage has offices throughout North America, Europe, Asia and the Middle East.
Information Content Notice:
Although the foregoing has been authored by the First Advantage Global Legal Compliance Team, we are not authorized to provide your organization with legal advice because First Advantage is not a law firm.
The foregoing information is rather provided in a spirit of partnership as helpful information on the possible impacts associated with GDPR.
Please share this document with legal counsel familiar with your organization and who has expertise in GDPR compliance. Given the substantial financial penalties associated with GDPR compliance and their possible impact on your revenue, legal review is an essential part of your organization’s preparation for GDPR compliance.
Current at as February 2018.
© 2018 First Advantage Corporation
1 Section 37(1) of the GDPR.