SlideShare a Scribd company logo
The Data Protection Officer (DPO):
Everything You Need to Know
Debra J. Farber, JD, CISSP-ISSMP, CIPP/US/E/IT/G, CIPM, FIP
U.S. Chief Privacy Officer, CRANIUM
Who am I?
• Consultant and non-practicing lawyer;
• 14 years experience operationalizing privacy and security;
• Executive Consultant & CPO at CRANIUM;
• Advisor to BigID;
• IEEE Personal Data Privacy Working Group;
• IAPP CIPT Exam Development Advisory Board;
• Sr. Director, Global Public Policy (Security & Privacy) at Visa;
- Member of the Advancing Cyber Resilience Working Group at
The World Economic Forum (WEF);
• Co-Founder of Women in Security & Privacy (WISP);
• Sr. Privacy Consultant & Product Manager at TrustArc;
• CEO & Principal at Farber Strategies Inc.;
- Executive Faculty at IANS;
- Professional Privacy Faculty Member at the IAPP;
• Director Product & Platform Privacy at Numera;
• Chief Privacy Officer at The Advisory Board Company;
• Managing Consultant (Privacy & Security) at IBM Global Services;
• Sr. Manager, Privacy & Policy at Revolution Health;
• Manager, Online Privacy at American Express
@privacyguru
Agenda
• The EU’s GDPR in 60 seconds
• When does an organization need to hire, appoint, or contract with a DPO?
• To whom should the DPO report to remain “independent” & avoid a conflict of
interest?
• Who can serve in the DPO role?
• What are the DPO’s responsibilities?
• Alphabet Soup: CPO vs. DPO vs. CISO
• The war for talent & how companies are staffing the DPO role
• Questions?
3
The EU’s GDPR in 60 seconds
When does an organization need to hire, appoint,
or contract with a DPO?
The GDPR states that appointing a DPO is
mandatory to facilitate compliance with
the GDPR in the following 3 specific cases:
• You are a Public Authority or Body, or acting
as one;
• Your core activity consists of processing
personal data “on a large scale,” which
requires “regular & systematic monitoring;”
or
• Your core activity consists of processing “on
“a large scale special categories of data.”
You may still choose to appoint a DPO even when
the GDPR does not require it.
9
What Percentage of Your Software
Vulnerabilities have GDPR Implications?
DOWNLOAD THE FREE E-BOOK
We talked with LocalTapiola, a Finnish financial
services company, about their efforts to prepare for
GDPR and did our own analysis showed that
25% of bugs on HackerOne have GDPR implications
GDPR Article 33 states that data breaches must be disclosed to the organization’s supervisory authority “without
undue delay and, where feasible, not later than 72 hours after having become aware of it.” It’s not uncommon these
days for organizations to require weeks or months to remedy a vulnerability.
Our advice regarding GDPR has always been to find and fix vulnerabilities before they can be exploited. There’s no
disclosure requirement for bugs, only for breaches, and running a bug bounty program is a great way to identify
vulnerabilities before the bad guys do.
To whom should the DPO report to remain
“independent” & avoid a conflict of interest?
The DPO must be “independent”?
A DPO cannot hold a position within the organization that leads them to determine the “purposes and the
means of the processing” of personal data or that otherwise creates a conflict.
Data controllers or processors should:
• Identify positions which would be incompatible with the DPO function;
• Draw up internal rules to avoid “conflicts of interests;”
• Formally declare via internal & external comms & in policy documentation that the DPO has no conflict of interests with regard to
function as a DPO, as a way of raising awareness of this requirement;
• Include safeguards within the organization’s internal rules and ensure that the publicly-posted DPO job description or the services
contract for an External DPO is sufficiently precise and detailed in order to avoid a conflict of interests.
More likely an independent reporting line: More likely a conflict of interest reporting line:
- Chief Compliance Officer; - Chief Privacy Officer;
- Audit team; - Chief Information Security Officer;
- Report directly to the CEO, COO, Board, etc.; - Chief Information Officer;
- External contractor (i.e., outside consultant or counsel) - Business Line reporting: i.e., Marketing, HR, Product, etc.;
reporting to a C-level officer or the Board; - Reporting up to other business executives who determines the
- Other reporting line without conflicts purpose & means of processing
Obligations to support your independent DPO
Your org is ultimately responsible for GDPR compliance & must be able to demonstrate that
compliance, not the DPO.
The Article 29 Working Party called out the following activities as necessary for an org to properly support its DPO:
• Active support of the DPO by senior management – i.e., Board-level, C-level;
• Sufficient time to fulfill their duties;
• Financial, infrastructure and staff resources;
• Official communication of the DPO appointment to all employees;
• Access to stakeholders such as HR, Legal, IT, Security etc.;
• Continuous training; and
• A DPO team depending on the size and structure of the organization;
The DPO’s employer may NOT:
• Instruct the DPO on how to deal with a matter, what result should be achieved, how to investigate a complaint, or whether to
consult the Supervisory Authority (“SA”); or
• Instruct the DPO to take a certain view of an issue related to data protection law or follow a particular legal interpretation.
Who can serve in the DPO role?
The GDPR does not specify the precise credentials a DPO is
expected to have. However, the WP29 defines certain minimum
requirements regarding the DPO’s expertise & skills:
• Level of Expertise: It is essential that the DPO understand
how to build, implement, & manage data protection
programs. The more complex or high-risk the data
processing activities are, the greater the expertise the
DPO will need.
• Professional Qualities: DPOs need not be lawyers, but
they must have expertise in member state and European
data protection law, including an in-depth knowledge of
the GDPR. DPOs must also have a reasonable
understanding of the organization's technical and
organizational structure and be familiar with information
technologies and data security.
• In the case of a public authority or body, the DPO should
have sound knowledge of its administrative rules &
procedures.
What are the DPO’s responsibilities?
•Collect information to identify and analyze processing activities;
•Analyze and check the compliance of processing activities
•Conduct audits to ensure GDPR compliance & address potential issues
Monitor
Compliance
•Inform, advise, & issue recommendation on data handling to the
controller or processor – e.g., based on DPIAs
•Educate company / employees on GDPR obligations & other data
protection requirements; and train data handling staff
Inform &
Advise
•Cooperate with the Supervisory Authorities (“SA”) & make the
organization’s records available on request
•Proactively report issues with data processing, such as data breaches
Coordinate
with the SA
•Serve as single point of contact for data subjects inquiries
•Provide information on data subjects’ rights related to the org’s data
protection practices, withdrawal of consent, the right to be forgotten, &
other rights
Serve as
Privacy
Contact
According to the GDPR, the DPO must perform the following tasks:
•Effectively communicate to personnel, the appointment of the DPO and his or her functions;
•Ensure the DPO has significant independence in the performance of his or her role;
•Ensure a direct reporting line “to the highest management level” of the company;
•Involve the DPO at earliest stage possible in all issues relating to privacy & data protection;
•Invite the DPO to participate in senior management meetings to represent privacy & data protection interests.
Effective
Governance
•Provide sufficient time & resources (financial, infrastructure, equipment, training, & staff) necessary for the DPO
to keep up-to-date with data privacy & security developments and to carry out tasks effectively & efficiently.
Resources
& Training
•Provide appropriate access to personal data that the organization processes, including access to the systems;
•Promptly consult the DPO in the event of a personal data breach or security incident;
•The DPO’s opinion must be given due weight. Should the business choose not to follow the advice of the DPO,
the business should document the reasons for such decision.
Appropriate
Access
•DPOs may perform other tasks and duties provided they do not create conflicts of interest (e.g., training the
Board, executives, & employees);
•Job security: the GDPR expressly prevents dismissal or penalty of the data protection officer for performance of
her tasks and places no limitation on the length of this tenure.
Other
Functions
Orgs have GDPR obligations to support the DPO:
DPO Job Description (example)
Expertise and Professional Qualities
• Expertise in national & European data protection laws and practices and an in-depth
understanding of the GDPR;
• Years of experience in data protection program management commensurate with
the sensitivity, complexity, & amount of data the employer processes;
• Integrity & high professional ethics;
• Can handle info & business affairs w/ secrecy & confidentially as appropriate;
• Demonstrated leadership & project management experience;
• Ability to communicate effectively with the highest levels of management &
decision-making within the organization;
• Familiarity with privacy and security risk assessment and best practices, privacy
certifications/seals, and information security standards certifications;
• Sound understanding of and familiarity with information technology programming &
infrastructure, and information security practices and audits;
• Ability to communicate effectively with data subjects, data protection authorities, &
other controllers and processors across national boundaries and cultures;
• Adequate self-awareness & confidence to acknowledge knowledge gaps and seek to
fill them from reliable sources;
• Knowledge of the business sector & of the employer’s organization;
• Sufficient understanding of the processing operations carried out, as well as the
information systems, and data security and data protection needs of the employer;
• In the case of a public authority or body, the DPO should also have a sound
knowledge of the administrative rules and procedures of the organization.
DPO Tasks
• Inform, advise, & issue recommendations regarding GDPR compliance;
• Foster a culture of data protection within the org & help to implement essential
elements of the GDPR, such as the principles of data processing, data subjects’
rights, data protection by design & by default, records of processing activities,
security of processing, & notification and communication of data breaches
• Advise the controller/processor regarding:
• Whether or not to carry out a data protection impact assessment (“DPIA”),
• What methodology to follow when carrying out a DPIA,
• Whether to carry out the DPIA in-house or outsource it,
• What safeguards (including technical and organizational measures) to
apply to mitigate any risks to the rights and interests of the data subjects,
• Whether or not the DPIA has been correctly carried out and whether its
conclusions (whether or not to go ahead with the processing and what
safeguards to apply) are in compliance with the GDPR;
• Maintain the record of processing operations under the responsibility of the
controller as one of the tools enabling compliance monitoring, informing and
advising the controller or the processor;
• Document all decisions taken consistent with and contrary to DPO’s advice;
• Offer consultation once a data breach or other incident has occurred.
• Ability to fulfill tasks
• Adequate and regular ongoing training;
• Self-starter and ability to act independently
Alphabet Soup: CPO vs. DPO vs. CISO
Responsible for setting and implementing
global data handling policies & rules, and
advising the business on the ways and
means of processing
Responsible for putting in place data
protection by design and default;
complete DPIAs where processing of
personal data poses a “high-risk”
Responsible for GDPR documentation: e.g.
records of processing; subject access
requests;
Responsible for implementing processes
into the business that respect the rights of
the data subject (e.g., rights to access,
rectification, portability, erasure, etc.)
Responsible for securing global
corporate infrastructure,
applications, IP, & personal data
Support CPO by answering security
questions
Responsible for implementation of
appropriate technical &
organizational measures to ensure a
level of security appropriate to risk
Responsible for ensuring the security
of the systems and transactions with
respect to the rights of data subjects
Responsible for oversight of EU privacy,
data protection, & security compliance
Advise CPO on when a DPIA is necessary
& the risk-based methodology to use;
review risks identified by DPIA for GDPR
compliance
Advise the CPO & CISO on meeting GDPR
documentation requirements, mitigating
security controls, whether controls have
been accurately carried out
Advise the organization on whether it is
appropriately respecting the rights of
data subjects
* The DPO may benefit from support from a Data Protection Office.
* The DPO may be physically located in another jurisdiction.
The war for talent & how companies are staffing
the DPO role
Contact Info:
Debra J. Farber
debra.farber@craniumusa.com
@privacyguru @CraniumUSA
https://www.linkedin.com/in/privacyguru
HackerOne Response: The VDP SaaS Platform
Benefits of a VDP Platform
Better signal:noise ratio
Decorate reports with industry standards (cvss, cwe, affected asset)
Better data security via encryption
Streamlined workflow and comms process
Easier and more informative reporting
DOWNLOAD THE FREE E-BOOK
Email is not a very good
mechanism for tracking multiple
cases at once. Vendors...should
consider setting up a web-based
case tracking system instead.
CERT CVD Guide, page 58
Section 7.1.1.1 and 7.1.4
GDPR requires companies to maintain “...a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational
measures for ensuring the security of the processing,” which is exactly where bug bounties fit in.
Our specialized product for PSIRT teams, HackerOne Response, has helped orgs like GM, DoD, and Adobe achieve their goals

More Related Content

What's hot

Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPR
Corporater
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
Amiit Keshav Naik
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR compliance
Sarah Fox
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to Compliance
Tinuiti
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
Jisc Scotland
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
Peter Procházka
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
IT Governance Ltd
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
Michelangelo van Dam
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
Jerod Brennen
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Fraud Management Solutions
Fraud Management SolutionsFraud Management Solutions
Fraud Management Solutions
SAS Institute India Pvt. Ltd
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 

What's hot (20)

Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPR
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR compliance
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to Compliance
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information Security
 
GDPR
GDPRGDPR
GDPR
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Fraud Management Solutions
Fraud Management SolutionsFraud Management Solutions
Fraud Management Solutions
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
IT compliance
IT complianceIT compliance
IT compliance
 

Similar to Everything you Need to Know about The Data Protection Officer Role

Education law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPOEducation law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPO
Browne Jacobson LLP
 
Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018
jadams6
 
What is CT- DPO.pdf
What is CT- DPO.pdfWhat is CT- DPO.pdf
What is CT- DPO.pdf
tsaaroacademy
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6
Jim Kaplan CIA CFE
 
CRMCS GDPR - Why it matters and how to make it Easy
CRMCS   GDPR - Why it matters and how to make it EasyCRMCS   GDPR - Why it matters and how to make it Easy
CRMCS GDPR - Why it matters and how to make it Easy
Paul McQuillan
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance
DATUM LLC
 
GDPR - Why it matters and how to make it Easy
GDPR - Why it matters and how to make it EasyGDPR - Why it matters and how to make it Easy
GDPR - Why it matters and how to make it Easy
Paul McQuillan
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
Jim Kaplan CIA CFE
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
Game changing legislation
Game changing legislationGame changing legislation
Game changing legislation
IRIS
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
EquiGov Institute
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Compliancy Group
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
GDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to FollowGDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to Follow
etouches
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant
TrustArc
 
GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365 GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365
ayeshaurooj104
 

Similar to Everything you Need to Know about The Data Protection Officer Role (20)

Education law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPOEducation law conferences, March 2018, Workshop 1B - The role of the DPO
Education law conferences, March 2018, Workshop 1B - The role of the DPO
 
Enterprise Data World 2018
Enterprise Data World 2018Enterprise Data World 2018
Enterprise Data World 2018
 
What is CT- DPO.pdf
What is CT- DPO.pdfWhat is CT- DPO.pdf
What is CT- DPO.pdf
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
 
General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6
 
CRMCS GDPR - Why it matters and how to make it Easy
CRMCS   GDPR - Why it matters and how to make it EasyCRMCS   GDPR - Why it matters and how to make it Easy
CRMCS GDPR - Why it matters and how to make it Easy
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance
 
GDPR - Why it matters and how to make it Easy
GDPR - Why it matters and how to make it EasyGDPR - Why it matters and how to make it Easy
GDPR - Why it matters and how to make it Easy
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
Game changing legislation
Game changing legislationGame changing legislation
Game changing legislation
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 
GDPR: What does it mean for your business?
GDPR: What does it mean for your business?GDPR: What does it mean for your business?
GDPR: What does it mean for your business?
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
GDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to FollowGDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to Follow
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant
 
GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365 GDPR Compliance with Microsoft 365
GDPR Compliance with Microsoft 365
 

More from HackerOne

Top 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsTop 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty Programs
HackerOne
 
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
HackerOne
 
Federal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideFederal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security Guide
HackerOne
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
HackerOne
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
HackerOne
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
9 Top Bug Bounty Programs
9 Top Bug Bounty Programs9 Top Bug Bounty Programs
9 Top Bug Bounty Programs
HackerOne
 
Voices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyVoices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure Policy
HackerOne
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
HackerOne
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In Cybersecurity
HackerOne
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
HackerOne
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
HackerOne
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
HackerOne
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
HackerOne
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
HackerOne
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programs
HackerOne
 

More from HackerOne (18)

Top 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsTop 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty Programs
 
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
 
Federal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideFederal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security Guide
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
9 Top Bug Bounty Programs
9 Top Bug Bounty Programs9 Top Bug Bounty Programs
9 Top Bug Bounty Programs
 
Voices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyVoices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure Policy
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In Cybersecurity
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports  how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programs
 

Recently uploaded

Bharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptxBharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptx
ShivkumarIyer18
 
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW  AN OVERVIEW in Malawi.pptxEMPLOYMENT LAW  AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
MwaiMapemba
 
ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.
Daffodil International University
 
VAWA - Violence Against Women Act Presentation
VAWA - Violence Against Women Act PresentationVAWA - Violence Against Women Act Presentation
VAWA - Violence Against Women Act Presentation
FernandoSimesBlanco1
 
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfDonald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
ssuser5750e1
 
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
Dr. Oliver Massmann
 
WINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of DissolutionWINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of Dissolution
KHURRAMWALI
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
46adnanshahzad
 
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
9ib5wiwt
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
Trademark Quick
 
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxNATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
anvithaav
 
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Thomas (Tom) Jasper
 
Abdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal CourtAbdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal Court
Gabe Whitley
 
Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....
Knowyourright
 
Rokita Releases Soccer Stadium Legal Opinion
Rokita Releases Soccer Stadium Legal OpinionRokita Releases Soccer Stadium Legal Opinion
Rokita Releases Soccer Stadium Legal Opinion
Abdul-Hakim Shabazz
 
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
o6ov5dqmf
 
Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...
Finlaw Consultancy Pvt Ltd
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
9ib5wiwt
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot Citizenship
BridgeWest.eu
 
Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)
Wendy Couture
 

Recently uploaded (20)

Bharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptxBharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptx
 
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW  AN OVERVIEW in Malawi.pptxEMPLOYMENT LAW  AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
 
ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.
 
VAWA - Violence Against Women Act Presentation
VAWA - Violence Against Women Act PresentationVAWA - Violence Against Women Act Presentation
VAWA - Violence Against Women Act Presentation
 
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfDonald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
 
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
 
WINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of DissolutionWINDING UP of COMPANY, Modes of Dissolution
WINDING UP of COMPANY, Modes of Dissolution
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
 
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
 
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxNATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
 
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
 
Abdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal CourtAbdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal Court
 
Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....
 
Rokita Releases Soccer Stadium Legal Opinion
Rokita Releases Soccer Stadium Legal OpinionRokita Releases Soccer Stadium Legal Opinion
Rokita Releases Soccer Stadium Legal Opinion
 
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
 
Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...Responsibilities of the office bearers while registering multi-state cooperat...
Responsibilities of the office bearers while registering multi-state cooperat...
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot Citizenship
 
Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)
 

Everything you Need to Know about The Data Protection Officer Role

  • 1. The Data Protection Officer (DPO): Everything You Need to Know Debra J. Farber, JD, CISSP-ISSMP, CIPP/US/E/IT/G, CIPM, FIP U.S. Chief Privacy Officer, CRANIUM
  • 2. Who am I? • Consultant and non-practicing lawyer; • 14 years experience operationalizing privacy and security; • Executive Consultant & CPO at CRANIUM; • Advisor to BigID; • IEEE Personal Data Privacy Working Group; • IAPP CIPT Exam Development Advisory Board; • Sr. Director, Global Public Policy (Security & Privacy) at Visa; - Member of the Advancing Cyber Resilience Working Group at The World Economic Forum (WEF); • Co-Founder of Women in Security & Privacy (WISP); • Sr. Privacy Consultant & Product Manager at TrustArc; • CEO & Principal at Farber Strategies Inc.; - Executive Faculty at IANS; - Professional Privacy Faculty Member at the IAPP; • Director Product & Platform Privacy at Numera; • Chief Privacy Officer at The Advisory Board Company; • Managing Consultant (Privacy & Security) at IBM Global Services; • Sr. Manager, Privacy & Policy at Revolution Health; • Manager, Online Privacy at American Express @privacyguru
  • 3. Agenda • The EU’s GDPR in 60 seconds • When does an organization need to hire, appoint, or contract with a DPO? • To whom should the DPO report to remain “independent” & avoid a conflict of interest? • Who can serve in the DPO role? • What are the DPO’s responsibilities? • Alphabet Soup: CPO vs. DPO vs. CISO • The war for talent & how companies are staffing the DPO role • Questions? 3
  • 4. The EU’s GDPR in 60 seconds
  • 5.
  • 6. When does an organization need to hire, appoint, or contract with a DPO?
  • 7. The GDPR states that appointing a DPO is mandatory to facilitate compliance with the GDPR in the following 3 specific cases: • You are a Public Authority or Body, or acting as one; • Your core activity consists of processing personal data “on a large scale,” which requires “regular & systematic monitoring;” or • Your core activity consists of processing “on “a large scale special categories of data.” You may still choose to appoint a DPO even when the GDPR does not require it.
  • 8.
  • 9. 9 What Percentage of Your Software Vulnerabilities have GDPR Implications? DOWNLOAD THE FREE E-BOOK We talked with LocalTapiola, a Finnish financial services company, about their efforts to prepare for GDPR and did our own analysis showed that 25% of bugs on HackerOne have GDPR implications GDPR Article 33 states that data breaches must be disclosed to the organization’s supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” It’s not uncommon these days for organizations to require weeks or months to remedy a vulnerability. Our advice regarding GDPR has always been to find and fix vulnerabilities before they can be exploited. There’s no disclosure requirement for bugs, only for breaches, and running a bug bounty program is a great way to identify vulnerabilities before the bad guys do.
  • 10. To whom should the DPO report to remain “independent” & avoid a conflict of interest?
  • 11. The DPO must be “independent”? A DPO cannot hold a position within the organization that leads them to determine the “purposes and the means of the processing” of personal data or that otherwise creates a conflict. Data controllers or processors should: • Identify positions which would be incompatible with the DPO function; • Draw up internal rules to avoid “conflicts of interests;” • Formally declare via internal & external comms & in policy documentation that the DPO has no conflict of interests with regard to function as a DPO, as a way of raising awareness of this requirement; • Include safeguards within the organization’s internal rules and ensure that the publicly-posted DPO job description or the services contract for an External DPO is sufficiently precise and detailed in order to avoid a conflict of interests. More likely an independent reporting line: More likely a conflict of interest reporting line: - Chief Compliance Officer; - Chief Privacy Officer; - Audit team; - Chief Information Security Officer; - Report directly to the CEO, COO, Board, etc.; - Chief Information Officer; - External contractor (i.e., outside consultant or counsel) - Business Line reporting: i.e., Marketing, HR, Product, etc.; reporting to a C-level officer or the Board; - Reporting up to other business executives who determines the - Other reporting line without conflicts purpose & means of processing
  • 12. Obligations to support your independent DPO Your org is ultimately responsible for GDPR compliance & must be able to demonstrate that compliance, not the DPO. The Article 29 Working Party called out the following activities as necessary for an org to properly support its DPO: • Active support of the DPO by senior management – i.e., Board-level, C-level; • Sufficient time to fulfill their duties; • Financial, infrastructure and staff resources; • Official communication of the DPO appointment to all employees; • Access to stakeholders such as HR, Legal, IT, Security etc.; • Continuous training; and • A DPO team depending on the size and structure of the organization; The DPO’s employer may NOT: • Instruct the DPO on how to deal with a matter, what result should be achieved, how to investigate a complaint, or whether to consult the Supervisory Authority (“SA”); or • Instruct the DPO to take a certain view of an issue related to data protection law or follow a particular legal interpretation.
  • 13. Who can serve in the DPO role?
  • 14. The GDPR does not specify the precise credentials a DPO is expected to have. However, the WP29 defines certain minimum requirements regarding the DPO’s expertise & skills: • Level of Expertise: It is essential that the DPO understand how to build, implement, & manage data protection programs. The more complex or high-risk the data processing activities are, the greater the expertise the DPO will need. • Professional Qualities: DPOs need not be lawyers, but they must have expertise in member state and European data protection law, including an in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of the organization's technical and organizational structure and be familiar with information technologies and data security. • In the case of a public authority or body, the DPO should have sound knowledge of its administrative rules & procedures.
  • 15. What are the DPO’s responsibilities?
  • 16. •Collect information to identify and analyze processing activities; •Analyze and check the compliance of processing activities •Conduct audits to ensure GDPR compliance & address potential issues Monitor Compliance •Inform, advise, & issue recommendation on data handling to the controller or processor – e.g., based on DPIAs •Educate company / employees on GDPR obligations & other data protection requirements; and train data handling staff Inform & Advise •Cooperate with the Supervisory Authorities (“SA”) & make the organization’s records available on request •Proactively report issues with data processing, such as data breaches Coordinate with the SA •Serve as single point of contact for data subjects inquiries •Provide information on data subjects’ rights related to the org’s data protection practices, withdrawal of consent, the right to be forgotten, & other rights Serve as Privacy Contact According to the GDPR, the DPO must perform the following tasks:
  • 17. •Effectively communicate to personnel, the appointment of the DPO and his or her functions; •Ensure the DPO has significant independence in the performance of his or her role; •Ensure a direct reporting line “to the highest management level” of the company; •Involve the DPO at earliest stage possible in all issues relating to privacy & data protection; •Invite the DPO to participate in senior management meetings to represent privacy & data protection interests. Effective Governance •Provide sufficient time & resources (financial, infrastructure, equipment, training, & staff) necessary for the DPO to keep up-to-date with data privacy & security developments and to carry out tasks effectively & efficiently. Resources & Training •Provide appropriate access to personal data that the organization processes, including access to the systems; •Promptly consult the DPO in the event of a personal data breach or security incident; •The DPO’s opinion must be given due weight. Should the business choose not to follow the advice of the DPO, the business should document the reasons for such decision. Appropriate Access •DPOs may perform other tasks and duties provided they do not create conflicts of interest (e.g., training the Board, executives, & employees); •Job security: the GDPR expressly prevents dismissal or penalty of the data protection officer for performance of her tasks and places no limitation on the length of this tenure. Other Functions Orgs have GDPR obligations to support the DPO:
  • 18. DPO Job Description (example) Expertise and Professional Qualities • Expertise in national & European data protection laws and practices and an in-depth understanding of the GDPR; • Years of experience in data protection program management commensurate with the sensitivity, complexity, & amount of data the employer processes; • Integrity & high professional ethics; • Can handle info & business affairs w/ secrecy & confidentially as appropriate; • Demonstrated leadership & project management experience; • Ability to communicate effectively with the highest levels of management & decision-making within the organization; • Familiarity with privacy and security risk assessment and best practices, privacy certifications/seals, and information security standards certifications; • Sound understanding of and familiarity with information technology programming & infrastructure, and information security practices and audits; • Ability to communicate effectively with data subjects, data protection authorities, & other controllers and processors across national boundaries and cultures; • Adequate self-awareness & confidence to acknowledge knowledge gaps and seek to fill them from reliable sources; • Knowledge of the business sector & of the employer’s organization; • Sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the employer; • In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organization. DPO Tasks • Inform, advise, & issue recommendations regarding GDPR compliance; • Foster a culture of data protection within the org & help to implement essential elements of the GDPR, such as the principles of data processing, data subjects’ rights, data protection by design & by default, records of processing activities, security of processing, & notification and communication of data breaches • Advise the controller/processor regarding: • Whether or not to carry out a data protection impact assessment (“DPIA”), • What methodology to follow when carrying out a DPIA, • Whether to carry out the DPIA in-house or outsource it, • What safeguards (including technical and organizational measures) to apply to mitigate any risks to the rights and interests of the data subjects, • Whether or not the DPIA has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with the GDPR; • Maintain the record of processing operations under the responsibility of the controller as one of the tools enabling compliance monitoring, informing and advising the controller or the processor; • Document all decisions taken consistent with and contrary to DPO’s advice; • Offer consultation once a data breach or other incident has occurred. • Ability to fulfill tasks • Adequate and regular ongoing training; • Self-starter and ability to act independently
  • 19. Alphabet Soup: CPO vs. DPO vs. CISO
  • 20. Responsible for setting and implementing global data handling policies & rules, and advising the business on the ways and means of processing Responsible for putting in place data protection by design and default; complete DPIAs where processing of personal data poses a “high-risk” Responsible for GDPR documentation: e.g. records of processing; subject access requests; Responsible for implementing processes into the business that respect the rights of the data subject (e.g., rights to access, rectification, portability, erasure, etc.) Responsible for securing global corporate infrastructure, applications, IP, & personal data Support CPO by answering security questions Responsible for implementation of appropriate technical & organizational measures to ensure a level of security appropriate to risk Responsible for ensuring the security of the systems and transactions with respect to the rights of data subjects Responsible for oversight of EU privacy, data protection, & security compliance Advise CPO on when a DPIA is necessary & the risk-based methodology to use; review risks identified by DPIA for GDPR compliance Advise the CPO & CISO on meeting GDPR documentation requirements, mitigating security controls, whether controls have been accurately carried out Advise the organization on whether it is appropriately respecting the rights of data subjects * The DPO may benefit from support from a Data Protection Office. * The DPO may be physically located in another jurisdiction.
  • 21. The war for talent & how companies are staffing the DPO role
  • 22.
  • 23. Contact Info: Debra J. Farber debra.farber@craniumusa.com @privacyguru @CraniumUSA https://www.linkedin.com/in/privacyguru
  • 24. HackerOne Response: The VDP SaaS Platform Benefits of a VDP Platform Better signal:noise ratio Decorate reports with industry standards (cvss, cwe, affected asset) Better data security via encryption Streamlined workflow and comms process Easier and more informative reporting DOWNLOAD THE FREE E-BOOK Email is not a very good mechanism for tracking multiple cases at once. Vendors...should consider setting up a web-based case tracking system instead. CERT CVD Guide, page 58 Section 7.1.1.1 and 7.1.4 GDPR requires companies to maintain “...a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing,” which is exactly where bug bounties fit in. Our specialized product for PSIRT teams, HackerOne Response, has helped orgs like GM, DoD, and Adobe achieve their goals