Data Protection is Trending in the Middle East

Briefing

Countries in the Middle East have bold plans for economic growth, new technologies, innovation and urban development in the next ten to twenty years. The United Arab Emirates (UAE) is at the forefront of this high ambition. Bahrain, Qatar and Oman are smaller still, but are resource-rich and intend to diversify to meet a changing world. Saudi Arabia is a sleeping giant with confident plans for urbanisation and diversification of its economy. Israel stands slightly apart with its efforts to update its long existing data protection laws. The nation is highly regarded for technology, security, unicorn companies and start-ups, with a successful history of technology exports.  All of these countries are adopting new data protection laws, maturing existing rules or expanding the scope of technology regulation. These policy shifts seek to protect individual rights, build trust in new technologies and increase international and regional data flows. Data protection is trending in the Middle East, because the region is investing heavily in data, technology, automation, smart cities and scientific innovation.  Turkey is a notable regional neighbour; most fully aligned to international data protection and EU standards. Turkey serves as a reference point for the wider region. The overall regional picture is not uniform. There are different approaches, differing levels of data protection maturity, variable enforcement, many timelines and a range of expectations.

United Arab Emirates (UAE)

The UAE is made up of seven emirates. These are Abu Dhabi (the capital), Ajman, Dubai, Fujairah, Ras Al Khaimah, Sharjah and Umm Al Quwain. The country has three international-facing data protection regulatory systems. The most recent is UAE Data Protection Law of 2021. It is wide-ranging but does not apply to the UAE government or government organisations. The UAE Data Office, the data protection regulator, is still being fully set up. Rules, regulations and guidance will be published soon to clarify and expand the law. These updates and clarification could be announced at relatively short notice, so companies and organisation must watch developments closely.

The other two laws relate to the UAE’s Free Zones that focus on international financial services, fintech, cryptocurrencies and sectors adjacent to these services. Abu Dhabi Global Market (ADGM) data protection laws were updated in 2021, adding elements that mirror the EU’s General Data Protection Regulation (GDPR). Dubai International Financial Centre (DIFC) data protection rules were updated in 2020 and adopted several matching principles and elements of the GDPR. The DIFC law is now more interoperable with the GDPR. DIFC has been taking steps to grant data protection adequacy to the EU, UK and Singapore. There is an ongoing appetite to establish data flows with other trusted countries and regions.  

For further information and analysis, please read PrivacySolved’s detailed briefings on:

Abu Dhabi Global Market (ADGM) Data Protection

Dubai International Financial Centre (DIFC) Data Protection

UAE Data Protection Law

Bahrain

Bahrain’s Personal Data Protection Law (PDPL) came into force in August 2019. The key definitions largely mirror the definitions in the EU’s GDPR. Independent Data Protection Guardians, who are like GDPR Data Protection Officers, are to be appointed. Penalties range from 100 to 20, 00 dinars and could also include a year in prison. The regulator is the Ministry of Justice and Islamic Affairs (MOJ), who carry out the duties of the Bahrain Personal Data Protection Authority.

Qatar

Qatar’s Protecting Personal Data Privacy Law (PPDP) was enacted in 2016. The definitions in the law are similar to those in the EU’s GDPR and incorporate key international data protection principles. The Qatar Financial Centre (QFC), a Free Zone in Doha, also has its own data protection rules for businesses and organisations that are registered and licensed by the Centre. The Qatar Financial Centre Authority updated the QFC’s 2005 data protection regulations in December 2021 with new regulations and rules aligned with GDPR.

Saudi Arabia

The Kingdom of Saudi Arabia introduced its first Personal Data Protection Law (PDPL) by royal decree in September 2021. This was followed by a draft Executive Regulation in March 2022 to interpret and extend the PDPL. The regulator is the Saudi Data & Artificial Intelligence Authority (SDAIA). The PDPL comes into force on 17 March 2023 (postponed from 22 March 2022). The law reflects key elements of international data protection principles, EU GDPR and mirrors various data protection laws in the Middle East.

Israel

Israel’s data protection law was introduced 1981. Data Security Regulations followed in 2017. These include the concepts of personal data, sensitive data, database, database owner, database holder and database manager.  The main law is the Protection of Privacy Law and the regulator is the Privacy Protection Authority (PPA), which is part of the Ministry of Justice. Israel’s data protection landscape is a mix of law, regulations and formal guidelines issued by the PPA. The European Commission granted Israel data protection adequacy in 2011, under the EU Data Protection Directive 1995, and remains the only country in the Middle East to have received an EU adequacy decision. Further legal alignment with the EU’s GDPR may be required going forward. In 2021, the Ministry of Justice announced proposals to update its data protection laws to improve the regulatory scope, key definitions and increase the PPA’s enforcement powers.

Other Countries in the Middle East

Turkey, a near neighbour to the Middle East with enduring historical and trade links, introduced a comprehensive data protection law, the Protection of Personal Data Law of 2016. Turkey also ratified the Council of Europe Convention 108 in 2016. The Turkish Personal Data Protection Authority, Kişisel Verileri Koruma Kurumu (KVKK), is the regulator. Turkey’s data protection regulatory landscape reflects international data protection principles and is substantially similar to the EU’s GDPR.

Egypt introduced a Law on the Protection of Personal Data in 2020. The law includes principles, definitions, rights and duties that mirror EU GDPR. The Minister of Communications and Technology is tasked with publishing Executive Regulations for the law. The regulator is the Data Protection Centre, but this organisation has not been fully established. Lebanon has a basic data protection law in the form of the  Electronic Transactions and Personal Data Law of October 2018. There is no independent data protection regulator.  Oman published a Personal Data Protection Law in February 2022, with plans to bring it into force in February 2023.

Jordan published a draft data protection law in 2021. Iraq, Iran, Kuwait, Palestine, Syria and Yemen do not have a comprehensive national or international facing data protection laws.  

Other Future Trends to Watch

The UAE and Saudi Arabia are moving quickly to expand their national artificial intelligence capabilities and introduce regulatory frameworks for new technologies. Fintech will continue to grow and mature in most countries. The emergence of Middle Eastern data protection regulators with distinct voices, regulatory approaches and ways of operating is a noticeable trend. The Turkish Personal Data Protection Authority (KVKK), ADGM Office of Data Protection (Commissioner for Data Protection) and the DIFC Commissioner of Data Protection are creating notable blueprints. In the longer term, Chinese investment in the Middle East coupled with the strengthening of historic ties with India, will impact the regulatory environment in the Middle East. China’s recent data protection and data security laws, as well as India’s impending comprehensive data protection law will also shape data protection, cybersecurity, data flows, trade and the market adoption of new technologies and innovation.

For help, support and advice with data protection, data breach response, cybersecurity strategy, new technology projects and artificial intelligence data risks in the Middle East, especially the UAE, Turkey, Israel, Saudi Arabia, Bahrain and Qatar, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS052022

Ireland’s Cautious Cybersecurity Outlook

Ireland should be a cybersecurity powerhouse. However, the nation takes a cautious approach. The country is a preferred destination for California’s Silicon Valley technology giants and other foreign technology investments. The island is home to around 30% of Europe’s data centres. It has artfully managed its strategic relationships with the European Union and the United States of America. Technology and cybersecurity clusters in Dublin, Cork, Galway and Shannon continue to grow and attract investment. Cyber Ireland, the national cybersecurity cluster, is seeking to join up and mature the local ecosystems.  Headline-grabbing cyberattacks such WannaCry (2017), NotPetya (2017) and the Health Service Executive (HSE) ransomware attack in May 2021 were significant warnings to Ireland to significantly upgrade its national information security resilience. In 2021, it was estimated that cybercrime cost Ireland €9.6 billion a year. Ireland public sector remains stoic, pragmatic and relatively low spending. In contrast, the private sector is developing a growing appetite for cybersecurity services and solutions.

Ireland’s National Cyber Security Strategy 2019-2024

Ireland’s current National Cyber Security Strategy was published in 2019 and covers the five years from 2019 – 2024. Ireland’s National Cyber Security Centre (NCSC) is the main body responsible for the Strategy and many of the measures set out in the document. The NCSC is also accountable for Ireland’ Critical National Infrastructure information security and enforcing the EU’s Networks and Information Systems Directive (NIS Directive). NCSC has been designated as Ireland’s Cyber Security Incident Response Team (CSIRT-IE). See PrivacySolved Insights Briefing Cybersecurity: Focus on Ireland’s National Cyber Strategy for more details on the Strategy.   

Cautious New Funding for the National Cyber Security Centre (NCSC)

Ireland’s digital economy has been valued at USD $14 billion and is increasingly facing cybersecurity threats that have led to increases in cybersecurity spending in the private and public sectors. In July 2021, two months after the HSE ransomware attack, the Irish Government announced a doubling of staff numbers at the NCSC over the following 18 months. This was estimated to cost €2.5m in the first year. Twenty (20) new roles would be added to the existing 25 already working at the NCSC. The longer-term plan is to reach 70 employees within five years (by 2026). A new headquarters building, new graduate training programme and a new head of the NCSC have also been added.

There are growing calls for the NCSC to receive more funding as a good investment and to reflect the spending priorities of Ireland’s European neighbours like the UK, France, Netherlands, Belgium and Germany. Evidence given to the Irish Parliament’s Joint Oireachtas Committee on Transport and Communications in May 2021 suggested that the NCSC should receive a ten times budget uplift from £5 million a year to £50 million a year. Ireland is informally called “data island” because of its considerable market share of European data centres, yet the NCSC’s £5 million budget is relatively low. For context, the NCSC’s budget is said to be a third of the spending by the public relations (PR) team in the Department of the Taoiseach (the Irish Prime Minister’s Department) which was about 16.9 million in 2020. A former Chief Executive of the HSE suggested in 2021 that the HSE’s expenditure on IT security was about a quarter of what would be expected when compared with other health systems. On closer analysis, there is evidence of underinvestment in government and public sector information security. By contrast, the $300 million Irish market for cybersecurity solutions and services (mainly private sector) is growing.

Cyber Security Baseline Standards (Public Sector)

In January 2022, the NCSC and the Office of the Government Chief Information Officer (OGCIO) published their jointly developed Cyber Security Baseline Standards for Irish Public Sector bodies. The Standards are intended to create an acceptable security standard, build a more resilient security environment and form a broad framework for measures which can be revised over time. The standards will help organisations improve the management of cybersecurity risks, allowing Public Service bodies to better identify, protect, detect, respond to, and recover from cybersecurity attacks. This will minimise damage and adverse impacts. 

The Standard includes a Cyber Incident Response Plan (CIRP) checklist and checklists for a range of other activities such as Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity. It is a minimum set of standards and requires organisations to expand upon these depending on their activities and risk profiles.

Data Protection Commission Ireland’s data breach enforcement efforts

Data Protection Commission Ireland (DPC Ireland) is Ireland’s data protection and GDPR regulator. Since May 2018 it has not developed a significant and high- profile case work on major cyberattack response and data breaches. So far, DPC Ireland’s position on major data breaches remains underdeveloped. However, in October 2021, DPC Ireland fined Twitter €450,000 for reporting a data breach late, which breached GDPR. DPC Ireland’s Annual Reports 2021 suggests a high level of engagement and high rates for resolving personal data breach notifications and referrals.  In 2021, the Commission it received 6,549 personal data breach notifications and concluded its work on 95% (6.274) in the same year.  In October 2021, DPC Ireland received a budget increase of 22% (€4.1 million), from the year before, to €23.2 million for the next year. At present, DPC Ireland, receives nearly five times the annual budget of the NCSC. DPC Ireland has 190 staff, four times more than the recently enlarged NCSC.

Future Developments

The key future developments to look for are more public sector cybersecurity funding and specific new investment and resources for the NCSC. The growth and maturity of the NCSC will be demonstrated by a larger staff pool, more IT and technical specialists and more involvement in critical national infrastructure initiatives. The NCSC is beginning to work more fully with the EU’s Agency for Cybersecurity (ENISA), the UK’s National Cybersecurity Centre (UK NCSC), the US Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA). Together they respond to coordinated threat alerts and cyberattack responses. Future high impact cross-border activities will also imply maturity, growth and development. DPC Ireland’s increased enforcement activities, especially in the area of large data breaches, sophisticated cyberattacks and GDPR non-compliance in large systems will signal a more confident future for Ireland’s cybersecurity, data protection, trust and national security resilience efforts.

Resources

Ireland National Cyber Security Strategy 2019-2024

Ireland Cyber Security Baseline Standards 2022

For help, advice, consulting and strategy for Irish Data Protection compliance, GDPR gap analysis, Cybersecurity policies and procedures and access to our data breach response services, contact PrivacySolved:

Dublin +353 1 960 9370

London +44 207 175 9771

Email: contact@privacysolved.com

PS042022

Sanctions, International Data Flows and ESG Compliance

Briefing

Globally, at any given time, there are international, economic or trade sanctions in place that directly affect countries, sectors, businesses, organisations and individuals. The world is interconnected in terms of trade, investment, financial flows, debt repayments and just-in-time supply chains. Sanctions are often underpinned by laws with criminal and civil penalties. Russia’s annexation of Crimea in 2014 and its subsequent invasion and war in Ukraine in 2022, has led to an unprecedented level of international, coordinated and punishing sanctions against Russia. Its political system, leaders, parliament, central bank, key sectors, businesses, influential individuals and its uber-rich citizens called oligarchs have all been targeted. Currently, significant sanctions are in place against Russia, Belarus, Iran, North Korea, Syria, Myanmar, Venezuela and Cuba. The European Union, China and the United States have imposed a range of unilateral trade sanctions between themselves, in recent years, to protect several of their strategic sectors. Sanctions directly affect confidence, investment, trade and international data flows. After sanctions are imposed, the data flows to and from sanctioned parties must be scrutinised for lawfulness, human rights compliance and for fit with an organisation’s Environmental, Social and Governance (ESG) position.

Types of Sanctions

International sanctions are political and economic decisions, made through diplomatic efforts by countries, multilateral or regional entities against states and organisations to protect international law, national security and to defend against threats to international peace and security. These sanctions are normally put in place by the United Nations (UN), or by countries working in consultation with the UN. These decisions include temporary restrictions or blocks on economic, trade, diplomatic, cultural, environmental and other restrictions. Sanction measures are lifted when the issues that led to the restrictions ends or the situation changes. Often, sanctions are given their primary functional title, such as diplomatic sanctions or economic sanctions. Sanctions remain the international community’s most powerful peaceful actions to prevent or respond to threats to international peace and security. Increasingly, unilateral sanctions can be imposed by a country on another nation to further its strategic interests via strong economic pressure through economic, trade or diplomatic activities.  Breaching sanctions deliberately or inadvertently can lead to criminal or civil penalties. Assisting a sanctioned entity or an individual to evade sanctions can also lead to severe consequences for all involved.

Lawfulness and Fairness in Data Flows

A key principle in international data governance, data protection laws and in modern data privacy analysis is that the processing of personal data, personal information and personally identifiable information must always be done lawfully and fairly. Lawful means that the activity should not breach civil or criminal laws, directly or indirectly. Fairness is a wide concept and includes, equity between the parties, respect for natural law, upholding fundamental rights, human rights protection, substantive fairness and fairness in processes. The principle of fairness discourages the sharing of personal data and personal information for covert purposes, or by tricks, deception, obfuscation, online dark patterns or via the misuse of language. Fairness considerations can also protect individuals with special or protected characteristics such as age (young and old), disability, ethnic origins or nationality.

The EU’s General Data Protection Regulation (GDPR) requires transparency and accountability in data flows. China’s Personal Information Protection Law (PIPL) and Brazil’s Data Protection Law (LGPD) contains a fundamental principle that all parties should act in “good faith” when they collect, use, share or store personal information. The flow of personal data to sanctioned countries, sectors, businesses, organisations, groups or individuals can conflict with lawfulness, fairness, transparency, accountability and good faith requirements. Companies and organisations should ensure that they do not breach these principles when dealing with sanctioned entities and individuals. These breaches of data protection and data privacy rules could lead to investigations, reprimands, administrative fines, third-party actions, other enforcement action or legal (court) action.

International Personal Data Transfer Risk Assessments

Aware that the transfer and sharing of personal data to some foreign countries can put individuals at risk, breach national laws and cause other harms, European regulators such as the European Data Protection Board (EDPB) and the European Commission have led the way in developing data Transfer Impact Assessments (TIAs). In the UK, these are often called Transfer Risk Assessments (TRAs). These assessments seek to evaluate a wide range of information to assess the risks to individuals and personal data flows. These also assess the level of compliance with the GDPR and other laws, in recipient countries or organisations. Considerations includes the types of data, types of data subjects (individuals), the sectors, the purpose of the data transfer and the transfer methods proposed. The technical and organisational systems in place to secure the data transfers, the list of countries the personal data will pass through and the possibility of onward transfers to third or fourth countries are also crucial considerations.  In this process, identifying sanctioned countries, organisations and individuals could be crucial to the sender’s corporate risk, insurance cover, legal compliance and liability.

Crucially, these data transfer assessments also aim to evaluate the receiving country’s human rights record, its legal system, its courts and how foreign judgments are recognised. The laws relating to third-party access to data, including by government bodies and the security and intelligence services are also reviewed.  

For a sanctioned country, organisation, sector or individual, these assessed factors will be influenced by the existence of sanctions. A country’s human rights record that led to international sanctions could make in-coming international data transfers high risk, unlawful or unfair. Both the human rights record and the specific sanctions restrictions could prove to be problematic or prohibitive. If a country’s political system requires that all data centres and internet traffic are scanned for political purposes, this could make the data transfer high-risk, needing additional technological safeguards such as data minimisation, pseudonymisation or anonymisation to reduce the data protection risks. Sanctions may also prohibit certain economic activities or sector-specific trading, and so the sharing of personal data to facilitate these activities, directly or indirectly could breach the sanction measures. Sanctions could target government or military organisations. This is the case in the sanction measures against Myanmar. Identifying true beneficial ownership is crucial. However, it is often difficult to clearly identify all government-directed, military-supported, government owned and backed organisations. The work of transferring personal data to sanctioned countries, entities or individuals is difficult and it can be a dynamic fast-moving environment.

Steps to Better Environmental, Social, Governance (ESG) and Compliance

The following steps will help businesses, organisations, governments and public sector bodies to better navigate the international personal data flows affected by sanctions regimes.

(A) Monitoring Sanctions Lists, in all relevant territories, should be a high priority. This should be done regularly, part of business as usual processes. These lists should also be consulted during supplier and partner due diligence and when a key organisation, in the existing supply chain, changes its ownership, size or composition. Experts that understand the full intent, meaning and implications of sanctions on data and personal data flows should be consulted.

(B) Registers of Processing Activities (ROPAs) should be properly maintained, reviewed and updated by companies and organisationsthat fall within the scope of the EU’s GDPR or similar laws in the UK, Brazil, China and the UAE. A ROPA can help to answer important preliminary questions such as the level of exposure to a sanctioned country, company, organisation, sector or individual. It can also be used to highlight, at least broadly, which countries sends and receives which types of personal data and the intended purposes.

(C) Contractual agreements are important governance tools when dealing with sanctions. Contracts are widely used to facilitate trade and transfer personal data around the world. These include international data transfer agreements, data protection Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) and various types of data processing agreements. Sanctions could make these agreements voidable, void or otherwise untenable. Parties could be forced to trigger the frustration or force majeure clauses, which could lead to contract termination and remove existing duties to perform the contract. Signing agreements that undermine or conflict with sanctions, after sanctions have been imposed, could breach criminal and civil laws. Detailed legal advice and care should be taken when parties seek to deliberately contract in ways that aim to stay within the legal limits of transferring personal data to sanctioned countries, businesses, entities and individuals.

(D) Systematic Supply Chain Reviews are important, especially detailed periodic reviews. Companies and organisations could be subject to criminal and civil liability if they take steps to evade or help other parties to avoid sanctions. Work should be done to ensure that substitute suppliers and third parties are not simply re-routing goods, services and data to sanctioned countries, businesses, organisations and individuals.Mergers and acquisition activity should be monitored as well as the unusual creation of offshore companies, holding companies, subsidiaries, branches and other formalised attempts to disguise the true beneficial owners of legal entities and assets.

(E) Anti-Money Laundering (AML) and Know Your Customer (KYC) Procedures should be upgraded. This is crucial in order to respond to the personal data risks associated with sanctioned countries, businesses, organisations and individuals. The use of cryptocurrencies, speciality blockchains, non-fungible tokens (NFTs), unexplained venture capital funds, aggressive modern art market investments, cybercrime and any involvement in the ransomware ecosystem, should be fully investigated.

PrivacySolved has many years of expertise in global data protection, data privacy, international data transfers and Environmental, Social and Governance (ESG) activities, including work with key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS032022

International Data Transfers: New UK Standard Contractual Clauses

On 21 March 2022, the UK formally adopted a new UK General Data Protection Regulation (UK GDPR) Standard Contractual Clauses (SCCs) regime.  After the UK’s exit from the European Union (Brexit), this represents a necessary divergence from the EU approach, because the UK became a “third country.” The UK has now declared data protection adequacy for most of the countries that shared data protection adequacy before Brexit. However, as a third country, with GDPR imbedded into its laws, it needed to put in place appropriate safeguards for personal data transfers to the rest of the world. This is the main purpose of the UK’s new data protection SCCs.

Countries that have UK Data Protection Adequacy

The UK Government has granted data protection adequacy status to the twenty-seven (27) member states of the European Union (EU) and member countries of the European Economic Area (EEA), plus Gibraltar. The EU’s and EEA’s institutions, bodies, offices and agencies also have UK adequacy. The UK has also approved the countries the EU has declared adequate. These are Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate data protection.

The UK has published plans to actively pursue data protection adequacy agreements with key foreign countries. These high priority countries are Australia, Brazil, Colombia, the Dubai International Financial Centre Free Zone in the United Arab Emirates, India, Indonesia, Kenya, the Republic of Korea (South Korea); Singapore and the United States of America.

All the countries that have been declared adequate by the UK, escape the complexities of putting in place wide-ranging appropriate safeguards, including the UK’s new SCCs, to facilitate international personal data transfers. The UK GDPR SCCs will govern international personal data transfers to non-EU, non-EEA and non-adequate countries, in the rest of the world.

Understanding the new UK Standard Contractual Clauses Documents

Important Dates: The clauses become effective on 21 March 2022. By 21 September 2022, companies and organisations must start to use the new IDTA or UK Addendum for all new international personal data transfer arrangements governed by UK GDPR.  Contracts signed before this date using the old EU SCCs will continue to be valid until 21 March 2024, if the data transfers remain unchanged during this period.  By 21 March 2024, all data transfers under UK GDPR must use the new clauses. All historical UK GDPR international personal data transfers based on the old EU SCCs must be updated by that date.

The International Data Transfer Agreement (IDTA) is the UK’s new standaloneSCC document. The main users will be UK-only based companies and organisations seeking to sign a stand-alone document to facilitate the data transfer. The IDTA could also be added as a self-contained schedule to another contract. It cannot be used by organisations that are seeking to cover personal data leaving both the EU and the UK. The IDTA is an alternative to the UK Addendum. The IDTA reflects the EU’s new SCCs, but not the modular approach seen in it. A wider range of parties such as Data Controllers, Data Processors and Sub-Processors can use the agreement and can list any supplementary measures that apply to the data transfer.

The UK Addendum is the UK Addendum to the EU’s SCCs for international personal data transfers. It is an alternative to the IDTA.  The main users will be companies and organisations that carry out EU to non-EU/EEA international personal data transfers and who also seek to add similar provisions for UK personal data that will be transferred outside the UK, EEA and the list of countries declared adequate both by the EU and the UK.

Transfer Risk Assessments (TRAs) must be completed when the IDTA or the UK Addendum are used, in order to assess the transfer risks and levels of compliance for the international personal data transfer. TRAs must be reviewed regularly. If the TRA indicates that the destination of the personal data transfer is not adequate, the company or organisation sending the personal data must put in place supplementary measures. It is likely that the UK Information Commissioner’s Office (ICO) will published a UK GDPR TRA template or model for companies and organisations to use.

PrivacySolved has years of expertise in UK and EU data protection, including with the key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com

Unlocking the GDPR Data Protection Officer

Briefing

The EU’s General Data Protection Regulation Data Protection Officer (GDPR DPO) role has been specifically crafted. Before the GDPR, Data Protection Officers (DPOs) existed because of a range of national laws, guidance and best practice. Globally, related roles such as Chief Privacy Officers, Privacy Officers, Heads of Data Protection, Data Protection Lead Counsels, Data Guardians and Data Governance Leads have also developed. However, GDPR DPOs have a clearer legal mandate, function and licence to operate. For the largest companies and organisations, subject to several data protection laws, they must decide how much the GDPR DPO role will influence the overall structure and substance of their global data privacy programmes. The danger is that the fundamental and unique elements of the GDPR DPO role can become trapped in governance systems that prioritise uniformity, efficiency, base-level interoperability and the lowest common denominator. It is important that the GDPR DPO role remains distinct, effective, influential and accountable.

Benefits and Risks: Appointing and Not Appointing a GDPR DPO

Not all businesses and organisations are legally required to appoint GDPR DPOs. Before GDPR, most DPOs were regarded as good practice appointments, where there was no clear legal duty to do so. This practice has continued through GDPR implementation. The GDPR is clear that both Data Controllers and Data Processors should appoint GDPR DPOs, in line with the law. Broadly, all public authorities and non-judicial public bodies must appoint GDPR DPOs. They are also legally required where any organisation regularly and systematically monitors individuals on a large scale or carries out large-scale processing of special categories of personal data or criminal offences data. Most organisations, especially larger ones, fall within these two latter categories. Where the law requires a GDPR DPO, one must be appointed, or risk breaching the GDPR. DPO appointments also encourage data governance accountability.

Questions arise for small Data Processors or the Data Controllers that do not meet the GDPR DPO threshold tests. Should they appoint a GDPR-type DPO? If they do so, should the DPO be fully GDPR-compliant, or can the organisation create its own unique DPO role?  European Data Protection Board (EDPB) Guidance states that if organisations adopt a GDPR DPO, even where they are not legally obliged to do so, that DPO will be judged against the full legal requirements of GDPR. Choosing not to have an identifiable GDPR DPO is also risky. The organisation will lack capacity to build and mature data protection programmes. Working with larger data-intensive organisations, liaising with GDPR regulators, responding to data breaches and keeping up to date with data protection, cybersecurity and good practice changes, will also be more difficult.  

Managing Great Expectations

The GDPR DPO can be an internal employed member of staff or an external appointment. The office holder must be well qualified, well resourced, independent and act independently. They may fulfil another role in their organisation but must avoid conflicts of interest. For example, they must not make specific data processing decisions and then provide assurance or GDPR compliance sign-off for that data processing activity. They must act autonomously and cooperate with the GDPR regulator.  They must have tangible influence by reporting to the highest level of management. Conversely, they must also be accessible and contactable by staff inside the organisation, external individuals, external stakeholders and GDPR regulators. They must also not be disciplined, removed or suffer other detriment because of performing their role and duties.

The GDPR DPO’s baseline outputs are to inform and advise. They must monitor compliance, which includes involvement in promoting awareness training, assigning responsibilities and audits. The GDPR DPO should provide advice for Data Protection Impact Assessments (DPIAs). They must cooperate with and act as the point of contact for the GDPR regulator. Although not an explicit legal requirement, GDPR regulators expect DPOs to be involved in offering information and advice on decisions to report data breaches to the regulators and to individuals affected. GDPR DPOs are not responsible for GDPR compliance; this always remains the legal responsibility of the Data Controller or Data Processor.  

DPOs in Reality: Details Matter

Despite the clear legal requirements, regulatory guidance and established best practice, some businesses and organisations have kept legacy data governance structures and pre-GDPR DPO reporting lines. Much of this may be a result of corporate or organisational inertia. For other organisations, whose business models prefer low or no regulation, the GDPR DPO role can often be minimised or an external law firm is used to provide legal advice from time to time. No organisational or culture change in data governance is anticipated. The GDPR DPO requirement challenges organisation power-centres and leadership cliques. It requires boards to work closely with a board outsider, who is legally obliged to act independently and respond to an external regulator, if and as required. It also challenges business cultures that regard regulatory compliance as interfering, anti-innovation and bureaucratic, because the GDPR DPO must monitor compliance and report to the highest level of management.  Often, in these organisations, the selected DPO is a middle-manager with limited influence, little direct budget and few resources. The DPO is not seen as a coveted role for inward or outward career progression. The DPO is located far from senior leadership and the centres of power. The GDPR DPO role is also a challenge to organisations that are opaque, siloed and do not actively promote transparency and accountability.

In some organisations, the DPO is seen as an arms-length advisor, a person to go to for an opinion. DPOs are only permitted to become involved in a matter after business and data-use decisions have been finalised and their role is to offer a view, for the record, which may not influence on the decisions already made. The aim, in these organisations, is to evidence that they have an established process for DPO involvement. Data Protection by Design and Default as well as high quality iterative Data Protection Impact Assessments (DPIAs) are rare and the ones completed are often superficial. In some organisations, a very senior person with an existing substantial role is appointed as the DPO. The real work is done by a far more junior Data Protection Manager and a small team. This senior person does not have the expertise, proximity to the data processing or the ability to spot data protection issues and so other senior employees see data protection as a non-demanding adjunct activity. For other businesses, using external or outsourced DPOs can be an effective way of freeing data governance from corporate apathy, internal factions and to ensure a level of detached independent expert analysis. The challenge for these organisations is to agree enough funding for these services and to provide effective internal support systems for the external or outsourced DPO. High quality internal access by the DPO to fully understand the organisation and to ensure that the DPO’s outputs are respected and actioned, are vital for this approach to be effective.

What the GDPR Regulators say about DPOs

The EU’s data protection regulators have started to investigate and enforce the GDPR DPO requirements. They have restated and emphasised the legal duties and issued fines to businesses and organisations that have not met the legal requirements of the role. Most of the enforcement decisions have been in Belgium, Germany, Spain, Greece, Luxembourg and Austria and were about the failure to appoint DPOs.  In 2020, the Belgian Data Protection Authority, Autorité de protection des données Gegevensbeschermingsautoriteit (APD-GBA), fined a company for its DPO’s lack of independence because the DPO had other roles in the organisation. There was no system to prevent conflicts of interest and the DPO was not sufficiently involved in the processing of personal data breaches.

In a series of cases in 2021, the Luxembourg Data Protection Authority, Commission Nationale pour la Protection des Données (CNPD), issued fines against five companies for DPOs not reporting to the highest level of the organisation (two levels of hierarchy were in between), insufficient resources to fulfil the role and not including the DPO in all data processing matters. CNPD also fined an organisation for not properly training the DPO so that they could independently and properly advise and inform the organisation. They also found that a DPO lacked enough autonomy. CNPD found common themes, such as Data Controllers not having control plans to ensure that the DPO’s duties were being properly performed. 

The legal position on the role of the GDPR DPO is clear. Data Controllers and Data Processors cannot argue lack of knowledge, unclear legal interpretation or uncertainty, when their DPOs and other GDPR accountability and transparency efforts are judged and put to the test.

PrivacySolved offers External and Special Projects Data Protection Officers, as well as Data Protection Officer as a Service (DPOaaS). We also offer international businesses and organisations EU and UK Data Protection Representative Services. Contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS022022