Definition of GDPR
This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. The free movement of personal data within the European Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
What is the POSITION of a DPO?
The controller and the processor shall ensure that the data protection officer (DPO) is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
The controller and processor shall ensure that the DPO does not receive any instructions regarding the exercise of those tasks ... The DPO shall directly report to the highest management level of the controller and processor.
What are the DPO’s TASKS?
The DPO shall in the performance of his or her tasks have due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purpose of processing.
The DPO shall have the following tasks:
to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to the other European Union or Member state data protection provisions;
to monitor compliance with the Regulation, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations and all related audits;
to provide advice where requested as regards to the data protection impact assessment and monitor its performance;
to cooperate with the supervisory authority
to act as a contact point for the supervisory authority on issues relating to processing, including the prior consultation in case of high risk.
What about my Business?
GDPR is not there to kill your business. It's a new strategic conversation with your suppliers and your customers. The data protection officer is the interface between GDPR and the business opportunity.
It defines the rule of the game in which personal data are processed. But in reality, it's seldom a clear-cut situation. Several apparent pseudonymized or anonymised data sources have still the potential to 'single out' an individual after correlating the different data sets. As described in Article 35, new analytical technologies might need a data protection impact assessment. A DPIA is a report, prior to the processing, to evaluate the possible risks and consequences of the envisaged processing operations on the protection of personal data. For this assessment, the controller shall seek the advice of a data protection officer.
The link to legal
Article 6 of the GDPR offers the specific framework in which personal data can be processed. The data protection officer shall, together with the controller's management, define the appropriate context in order to make data processing lawful.
Processing personal data by a controller is 'lawful' only if and to the extent that at least one the following applies: the person has given consent for one or more specific purposes; the processing is linked to the performance of a contract to which the person is party; there's a need to comply with a legal obligation or to protect the vital interests of the person; the processing is part of a task carried out in the public interest or in the exercise of official authority vested in the controller; or the processing is necessary for the purposes of the legitimate interests pursued by the controller.
The link to ICT-technology and data-warehousing
The data protection officer will assist the controller's information security officer and/or ICT department to comply with the GDPR demands for appropriate technical measurements.
Article 25 demands data protection by design and by default. In time, the local supervisory authority will install certification mechanisms for the purpose of demonstrating technical compliance with GDPR. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures.
Should our company designate a data protection officer and what's the advantage of outsourcing this responsibility? Do we have processing operations which - by nature, by scope, by context, by purpose or due to regular and systematic monitoring of data subjects on a large scale - demand a dedicated DPO?
GDPR awareness session
How does GDPR impact our daily operations? Which departments are involved and how do we inform our personnel concerned with the processing of personal data? Do we have to inform our customers and how? Do we need new contracts with our suppliers? What's the definition of a data breach and how should we react when it happens? What happens if a data subject lodges a complaint with the supervisory authority?
Data protection by design and by default ... what does that mean? Have we taken sufficient technical and organisational measurements in order to comply with GDPR? What's the difference between data minimisation, pseudonymisation and anonymisation? What's the impact of GDPR on our data warehouse and/or ICT infrastructure? Is there an approved certification mechanism?
Data Protection Impact Assessment
Are we profiling people based on personal data? Are we processing data which by using new technologies or by correlating different data sources are likely to result in a risk to the rights and freedoms of a natural person? Do we need a DPIA and how can we take the necessary measurements? Should the DPO consult the supervisory authority prior to the data processing or analysis?
service contracts or codes of conduct
Do we need new agreements with our suppliers and/or customers? Does our data processing need an informed consent of our customers and what if they change their mind later on? Should we come forward with a code of conduct or do we remain with business as usual? What are the risks in case of a reactive policy?
Field of expertise
Although GDPR is a generic Ruling for all kinds of processing personal data in the European Union, not all sectors and businesses are alike. Blue Ocean view has build up expertise in a specific domain:
Agriculture and Food
Due to the DPO’s activities as a network manager for the IBN Smart Digital Farming and as collaborator in several European projects such as ICT-AGRI, S3 thematic platforms, SmartAgriHubs and the EFRO DataHub, processing data in the AgriFood sector within a GDPR environment are challenging. The AgriFood sector offers opportunities to assess your data processing without losing the competitive edge. Data streams between farmers, suppliers, food processors, distributors and retailers are very complex and data-driven decision support systems, based on a variety of data sources, offer a wide range of smart applications. But the ownership of the collected data and the added value extracted from the correlation bring new GDPR challenges which are underestimated and/or undetected so far.