Celebrated every year on January 28 to promote privacy and data protection best practices, Data Privacy Day is an important day to highlight discussion topics related to the privacy of online consumers. This is Cloudbric’s second year in a row joining other Data Privacy Day champions in raising awareness. If you don’t already know, Data Protection Day, from which Data Privacy Day came about, commemorates the signing of Convention 108 — the first legally binding international treaty dealing with privacy and data protection.
One of the biggest issues that has everyone talking is the European Union’s (EU) GDPR (General Data Protection Regulation), set to be enforced on May 28, 2018. Many are wondering what the GDPR will mean for small businesses around the world — and not just in Europe. Any business dealing with the data of EU citizens will need to make sure they are on the right track for full compliance or they may otherwise face the possibility of paying costly fines — something that small businesses may not be able to afford.
Unfortunately, small businesses don’t get a free pass just because they lack the same resources that a larger business might already have to meet the GDPR requirements. As mentioned, regardless of size, any company collecting, storing, and using personal information of data originating in the EU must comply with the newly set regulations of the GDPR. Fortunately, the GDPR stipulations do account for these budgetary differences as members of the European Commission recognize that small businesses require “special” treatment and should not be treated in the same tier as large enterprises.
One clear difference between small businesses and large enterprises under the GDPR is whether or not they need to hire a Data Protection Officer, or DPO. Businesses must appoint a DPO if they are public bodies, especially if they intend to carry out large scale systematic monitoring of individuals, like online behavior tracking. However, the term “small business” may refer to something different across different industries and in different countries, so it can get confusing. For example, according to the U.S. Small Business Administration, a small business is defined as a business with fewer than 500 employees. In the context of the GDPR, appointing a DPO is only required for businesses with over 250 employees.
So what roles does a DPO take on? Such requirement was included to ensure that “large” organizations take full responsibility for processing large amounts of data, and a DPO’s role is to do just that as outlined in Article 39 of the GDPR:
- Inform and advise the controller/ processor and their employees involved in data processing of their obligations under the GDPR and other data protection laws
- Monitor compliance with the GDPR and other applicable data protection laws as well as with internal data protection policies (including assigning internal data protection responsibilities, training staff and conducting compliance audits)
- Provide advice in relation to data protection impact assessments
- Cooperate with, act as point of contact for, and as appropriate, consult with, supervisory
GDPR implementation may be rocky at first. Though the role of a DPO is formally introduced, whether a company must appoint one or not depends on the size of the company and the extent to which they use data. Small businesses may opt to outsource DPOs, in other words recruit and appoint qualified officials who work on an ad-hoc basis. Furthermore, due to a cybersecurity shortage, can we expect the role of DPO to be one that is often shared across organizations? At the end of the day, DPOs are there to ensure that consumer data is being protected — and we may see interesting forms of DPO representation in the future. In the scope of GDPR and beyond, finding out how to best promote privacy and awareness even in times of change is what Data Privacy is all about.