The French data protection regulator CNIL has studied the economic benefits of the presence of a Data Protection Officer within companies. Statistical analysis shows that it is often profitable, especially for companies taking a positive approach to GDPR compliance. The two most represented sectors were research, IT and consulting, and banking, insurance and mutual insurance companies. There are different types of benefits related to the DPO function – leverage to win calls for tenders, avoidance of sanctions, avoidance of data leaks and rationalisation of data management. Here are some examples:

• The DPO is the point of contact for the supervisory authority and the persons whose data is processed. As such, they can take charge of organising the processing of people’s requests to exercise their rights so that a complete response is provided within the set deadlines.
• The DPO contributes to a better knowledge of the company’s information assets. In doing so, their action helps to facilitate the use of data by centralising information and avoiding duplicates or data silos. This makes it easier for teams to access relevant data, which improves the efficiency of internal processes and decision-making.
• A DPO ensures the main GDPR principles of purpose limitation, data minimisation, and limitation of retention, which leads to operational savings in terms of storage space (as well as fewer entry points for cybercriminals).
• Finally, DPOs advise companies on the security measures to be put in place and participate in privacy impact assessments. They can carry out checks and audits and alert managers when security flaws are found.

Stay up to date! Sign up to receive our fortnightly digest via email.

There is also a return on investment in the sense that DPOs who have more time to dedicate to their function have better conditions to ensure the company’s compliance, which reduces the likelihood of being sanctioned. However, these benefits are not received by all companies with DPOs. They are better realised by large companies and by those that are most invested in GDPR compliance and consider compliance as a lever and less as a constraint. The adoption of certain good practices can make it possible to generate economic gains for the DPO function: 

• Involving DPOs in certain executive committee meetings allows them to articulate compliance with the company’s overall strategy. 
• Integrate GDPR compliance with the CSR strategy and the ISS strategy to promote consistent planning and operations. 
• Try to quantify the economic benefits linked to the role of the DPO in the company, informally or through internal consultations.
• Increase other business lines’ understanding of the importance of compliance concerns in the organisation’s strategy, acknowledge a DPO as a value creator, and coordinate their efforts with those of other departments.

EU-UK data transfers

According to a draft document released by the European Commission on 22 July, the UK maintains an adequate level of protection for EU-UK data transfers under the new Data Use and Access Act 2025 (DUAA), aligning with the EU GDPR and the Law Enforcement Directive. While the scope of the DUAA, which amends the UK GDPR and the DPA 2018, goes well beyond the protection of personal data, it provides for limited changes to several aspects of the data protection regime:

a) the rules on data processing for purposes of scientific research, b) the legal bases for data processing, c) the rules relating to the purpose limitation principle, and d) the conditions for automated decision-making.  In addition, the DUAA makes amendments to the governance structure of the ICO. Once implemented, these measures will replace the ICO with a new entity, the Information Commission. The role and functions of the regulator will remain unchanged in the UK. The Act also introduces new enforcement powers for the regulator. 

More legal updates

UK children’s data: On 25 July, the Protection of Children Code of Practice for regulated search services came into force, as required under the Online Safety Act 2023. The code imposes specific duties on search service providers to implement measures addressing content that is harmful to children, including requirements for governance and accountability arrangements, search moderation systems, content reporting mechanisms, complaints procedures, user support functionalities, and publicly available safety statements, digitalpolicyalert.org reports. 

EU AI Act provisions: Provisions of the EU AI Act on general-purpose AI models entered into force on 2 August. These mean clearer information about how AI models are trained, better enforcement of copyright protections and more responsible AI development. The Commission has also confirmed that the GPAI Code of Practice, developed by independent experts, is an adequate voluntary tool for providers of GPAI models. Providers who sign and adhere to the Code will benefit from a reduced regulatory burden and increased legal certainty. Providers must comply with transparency and copyright obligations when placing GPAI models on the EU market. Models already on the market must ensure compliance by 2 August 2027.

AI Act implementation in Germany: EU member states were required to designate competent market surveillance authorities to oversee the AI Act by 2 August. This deadline has been missed by Germany, according to the Hamburg Data Protection Commissioner HmbBfDI. The regulator is therefore appealing to the federal government to promptly designate the AI market surveillance authorities stipulated by the AI Regulation, which, at least in some areas, also include the data protection supervisory authorities. Due to the delay, companies and authorities now lack a reliable contact person for questions about the AI regulation. This is also a disadvantage for Germany as a centre of AI innovation.

Web filtering

A web filtering gateway, often referred to as a web proxy, is a device or service used to control and monitor internet access by filtering web content according to predefined policies. Its main role is to block access to certain websites or categories of content for security and compliance reasons.

Web filtering gateways can help organisations meet their data security obligations (Art. 32 of the GDPR). However, they are based on data processing that must also be ensured to comply with the GDPR. To that end, the French data protection regulator CNIL opened to public consultation a draft guideline (in French) to promote such cybersecurity solutions that comply with the GDPR, both in their use and in their design.  The draft document targets data controllers, who, as employers, deploy a filtering web gateway (URL filtering and detection and blocking of malicious payloads) to secure internet browsing on their information system. This applies to the browsing of employees, agents, service providers or external visitors. It does not deal with the use of web filtering gateways by data controllers providing internet access via a public Wi-Fi, as is the case with retailers, media libraries or other public or private organisations. 

More from supervisory authorities

Human intervention in automated decisions: The Dutch data protection authority AP has developed guidelines for meaningful human intervention in algorithmic decision-making for organisations (in Dutch only). Art. 22 of the GDPR prohibits a decision based solely on automated processing that produces legal effects for data subjects or significantly affects them in another way.  For example, if an employee is hindered, or a credit application is assessed under time pressure or an unclear automated system, this can impact the outcome of any decision. The recommendations have been written as practically as possible to best address the questions organisations have.  

Profiling online: The UK ICO prepared a draft of guidelines on Profiling Tools for Online Safety. This guidance applies to any organisations that carry out profiling, as defined in the UK GDPR, as part of their trust and safety processes. It is aimed at user-to-user services that are using, or considering using, profiling to meet their obligations under the Online Safety Act 2023. But it also applies to any organisations using, or considering using, these tools for broader trust and safety reasons. 

However, due to the Data Use and Access Act (DUAA) coming into law on 19 June 2025, this guidance is under review and may be subject to change. 

Data to train AI models

The European Commission presents a template for General-Purpose AI model providers to summarise the data used to train their model (under Art. 53 of the EU AI Act). General-purpose AI models are trained with large quantities of data, but there is only limited information available regarding the origin of this data. The public summary will provide a comprehensive overview of the data used to train a model, list the main data collections and explain other sources used. This template will also assist parties with legitimate interests, such as copyright holders, in exercising their rights under Union law, test particularly powerful models with systemic risk for vulnerabilities and risks, report serious security incidents, etc. 

The template is part of a broader initiative linked to the EU-wide rules for general-purpose AI models kicking in on 2 August 2025. It complements the guidelines on the scope of the rules for general-purpose AI models, published on 18 July, and the General-Purpose AI Code of Practice released on 10 July. Also, France’s CNIL offers a guide on how best model makers should ensure their systems comply (in French). It also suggests solutions for companies to avoid using personal data when training their models.

Public disclosure of personal data

The UK ICO released guidelines for public bodies managing Freedom of Information requests and organisations answering Subject Access Requests, which can involve a lot of personal data. It includes simple checklists and how-to videos, covering topics such as:  

• Deciding on an appropriate format for disclosure to the public 
• Finding various types of hidden personal information, including hidden rows, columns and worksheets, metadata and active filters 
• Converting documents to simpler formats to reveal hidden data  
• Avoiding using ineffective techniques to keep information secure 
• Using software tools designed to help identify hidden personal information (such as Microsoft Document Inspector)  
• Reviewing the circumstances of a breach to prevent a recurrence 
• Removing and redacting personal information effectively 

Data protection complaints increase

In the first half of 2025, significantly more people complained to the Lower Saxony State Commissioner for Data Protection about possible data protection violations than in the same period of the previous year. The authority recorded 1,689 data protection complaints from January to June 2025, compared to 1,186 in the same period of the previous year. This represents a sharp increase of approximately 42 per cent. The authority also noted significant increases in complaints from the health, social services, and municipal sectors, as well as from the real estate industry, credit reporting agencies, and the financial sector. One reason for the high number of data breaches and complaints is the increasing digitalisation of business and administration – more personal data flows, and the risk of data protection violations also increases. 

Similarly, the Lithuanian regulator VDAI counted that in the first half of 2025, most data breaches occurred due to human error, as well as due to actions that cannot be protected from by normally applied technical and organisational measures and other reasons (IT system errors, improperly performed programming work, etc.). Also, it was found that a third of data security breaches occurred due to cyber incidents (data encryption and ransomware attacks, unauthorised access to IT systems, social engineering attacks, login data and Brute Force attacks, and SQL injection and system disruption). 

In other news

Temporary password fine: In Croatia, the personal data protection agency imposed an administrative fine of 320,000 euros on HEP-Toplinarstvo (an Electric utility company). The agency received a report from a respondent that when requesting a change of a forgotten password on the HEP District Heating “My Account” portal, the user was sent a temporary password by e-mail, which was actually the last password set by the user. Also, all the passwords of users of the “My Account” portal (almost 16,000 of them) were stored in the controller’s database in readable form. This meant that the controller knowingly chose a solution that did not include basic data security measures, such as generating a temporary password or using data encryption methods, did not take into account the risks to the security of personal data, nor did they conduct an assessment of the risks of processing users’ data. 

McDonald’s fine: The Polish UODO has fined McDonald’s Polska approximately 3,9 mln euros after a personal data breach. The shared file in the public directory contained data on McDonald’s employees and its franchisees: first and last names, passport numbers, McDonald’s restaurant number, work start date and time, work end date and time, number of hours worked, position, days off, type of day, and type of work. 

McDonald’s entrusted the processing of personal data of its restaurant chain’s employees to an external company to manage work schedules. The controller did not have the authority to manage the resources and configuration of the IT system containing the employee schedule module. Only the processor had such authority. At the same time, the provisions of the personal data processing agreement, particularly those related to audits and inspections, were not implemented. The controller failed to exercise proper oversight over the entrusted personal data.

In case you missed it 

Agentic AI: The move to AI assistants and agents risks a sea change in privacy and security, states Privacy International. These services’ usefulness increases with the quantity and quality of the data they have access to, and the temptation will be to lower the friction of data controls to allow the processing of personal data. In one example, ChatGPT’s agent uses ‘connectors’ to interface with third-party applications, such as cloud data stores, calendars, email accounts, etc.

This allows ChatGPT’s agent to search data on those services, conduct deeper analysis, and sync data. This seems analogous to Anthropic’s ‘Model Context Protocol’, which provides context data from applications to LLMs. Consequently, Privacy International is worried that:

• the AI tools would generate new datasets on you that create new risks
• could access and share your data at unprecedented levels, and
• will store this data beyond your reach, across their services and in the cloud.

Bias in AI systems: The Federal Office for Information Security in Germany issued a white paper on Bias in Artificial Intelligence (in German). The term “bias” describes the resulting unequal treatment of individuals or organisations. This can have various causes. The document outlines bias identification and mitigation as a continuous process. It describes 11 different forms of bias, such as historical bias and automation bias. Along with 13 mitigation strategies that include pre-processing to post-processing methods, it highlights bias as a cybersecurity issue that compromises availability, confidentiality, and integrity.

The post Data protection digest 18 Jul – 1 Aug 2025: DPO as a value creator and return on investment for companies appeared first on TechGDPR.

Appointing a Data Protection Officer (DPO) is a significant step in ensuring compliance with data protection regulations. However, this appointment does not absolve the company of its compliance responsibilities. In reality, the role of the officer is to guide and advise, not to shoulder the entire burden of compliance. As DPO for companies around the world, TechGDPR has a defined DPO program to review documentation, conduct training and audits. Although other DPOs may adopt a different approach, the company must remain engaged. Companies must work closely with the DPO to stay informed and ensure adherence to data protection laws. Ultimately, the liability for data protection remains with the company, making active involvement, continuous collaboration and oversight essential. This article explains the necessary company involvement once the DPO is appointed and the collaborative efforts required to maintain compliance.

Active company involvement in DPO activities

Time involvement

When a company appoints a DPO, it must be prepared to invest time into maintaining compliance. Compliance is not only a state to aim for, but must also be maintained. Compliance does not stop at appointing one. The DPO, while knowledgeable and skilled, cannot single-handedly ensure the company’s adherence to data protection laws. Regular meetings between the DPO and company leadership are essential to address open and emerging compliance issues. 

Reasonable time involvement for regular meetings might range between 30 minutes to an hour every 2 weeks or monthly. This depends on the size, the industry of the company and the number of persons involved. Other activities such as training and compliance audits will require 2 to 10 hours respectively. This will depend on the training needs of the company and scope of the audit. Without this active involvement, the DPO will lack the insights necessary to effectively manage data protection risks. Furthermore, a fast evolving regulatory landscape requires continuous monitoring and adaptation. By dedicating time to collaborate with their DPO, companies can anticipate and mitigate potential adverse impacts on business operations. This proactive approach not only protects the organisation but also builds trust with customers and stakeholders. Ultimately, the time invested in supporting the DPO is an investment in the company’s reputation and long-term success.

Team involvement

Companies should plan, resource and facilitate the involvement of relevant team members to support DPO efforts. This involvement is vital because data protection is an organisation-wide responsibility extending beyond the DPO expertise. By engaging various departments such as IT, HR, legal, and marketing, companies ensure comprehensive coverage of its operations. Each department handles different types of data and is responsible for specific processing activities. This makes department-specific participation vital in data mapping (Article 30 of the GDPR), identifying risks and implementing effective safeguards. Collaboration fosters a culture of data protection awareness, helping to embed compliance into the company’s daily operations. Moreover, involving team members allows for more efficient and timely responses to compliance issues. This is better than making all communication flow mandatorily through one single person in the company. Such collective effort minimises the risk of a single point of failure. It also ensures that the DPO is able to maintain actual oversight of company operations.

Information & documentation

A DPO cannot function efficiently without the full cooperation of a company. Companies must be prepared to provide comprehensive information and documentation to support DPO efforts. This includes information about data processing activities, access to internal policies, and records of data breaches, details about data subjects, the purpose of data processing, data retention periods, data breaches or security incidents, as well as other documentation and systems relevant to data protection compliance. This is crucial because the DPO relies on accurate and up-to-date information to assess compliance with data protection laws effectively. By providing information, companies empower their DPO to conduct thorough assessments, identify potential compliance issues, implement appropriate safeguards and offer sound advice on mitigating risks. Additionally, proper documentation supports the DPO in demonstrating compliance to regulatory authorities, which can protect the company during audits or investigations. Open communication and information sharing are essential for ensuring ongoing compliance and mitigating potential legal and reputational damage. Ensuring the DPO has all necessary information and documentation not only aids in compliance but also enhances the company’s overall governance and trustworthiness. Since DPOs are bound by confidentiality, companies may safely share information.

Adequate resourcing

Article 38(2) of the GDPR states that organisations are required to provide the DPO with the necessary resources to carry out their tasks and maintain their expert knowledge. This includes allocating a sufficient budget and access to the highest management level ensuring that the DPO is consulted before making key-decisions. Without these resources, the DPO cannot effectively monitor compliance, conduct audits, or provide essential training to employees. Inadequate support undermines the DPO’s ability to fulfil their regulatory duties.

According to the EDPB (formerly known as Working Party 29) Guidelines on Data Protection Officers, the following resources should be provided to the DPO:

• active support of the DPO’s function by senior management;
• sufficient time for DPOs to fulfil their tasks;
• adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate;
• official communication of the designation of the DPO to all staff;
• access to other services within the organisation so that DPOs can receive essential support, input or information from those other services;
• continuous training.

Ensuring proper resourcing is not only a legal obligation but also a strategic investment in the company’s data protection framework. Failing to properly resource can lead to compliance risks and potential penalties for the company.

Responsiveness

Open communication is important for a successful relationship with the DPO. Responsiveness on the company’s part ensures that the DPO has timely access to requested information and resources, enabling them to fulfil their duties accurately. Companies must be responsive to the DPO’s requests for information, data, or support. This includes timely response to emails, attending meetings, participating in data protection compliance audits, training, etc. By promptly addressing the DPO’s requests, companies support in identifying and mitigating their potential compliance risks. Ignoring requests or delaying responses to the DPO can lead to oversight, lapse of statutory deadlines and non-compliance e.g. failing to acknowledge or fulfil a data subject request, or notifying the supervisory authorities of a reportable data breach. This exposes the company to significant legal and financial risks. Therefore, maintaining a proactive and supportive relationship with the DPO is crucial for upholding data privacy standards and protecting the company’s interests.

Ensure active engagement with your DPO

In summary, appointing a DPO is only a part of a company’s compliance journey. True compliance requires the company to commit time, involve team members, provide necessary information and documentation, allocate adequate resources and respond in a timely manner to requests. While the DPO offers valuable advisory and oversees compliance activities, the ultimate responsibility for compliance will always rest with the company. So, when unsure how to interact with your DPO after appointing one, make sure to ask and clarify the expected staff involvement in your organisation. Active involvement and continuous support for the DPO are essential to maintaining data protection compliance. By embracing these responsibilities, companies can ensure they not only meet regulatory requirements but also uphold the highest standards of data privacy and security.

The post What to do after appointing a DPO appeared first on TechGDPR.

Who is a DPO?

According to GDPR Art. 39, the data protection officer is responsible for:

• advising the controller or processor about their obligations under the GDPR and monitoring compliance with the same;
• awareness-raising and training of staff involved in processing operations and related audits;
• cooperating with, and acting as contact point for the supervisory authority on issues relating to processing.

According to article 38.3 of the GDPR, the DPO shall report directly to the top management of the controller or processor. Article 38.3 further states that the DPO must not receive instructions from the controller or processor regarding the exercise of its statutory tasks. The DPO shall not be dismissed or penalised for performing its tasks.

Based on the foregoing, a DPO is an independent officer reporting to top-level management of an organisation and responsible for monitoring compliance with, and advising on applicable data protection laws within that organisation.

A DPO can either be a qualified individual or an organisation. According to article 37.6 of the GDPR, a DPO may fulfil its tasks on the basis of a service contract. The Article 29 Working Party (WP29) further explains that a service contract may be concluded with an organisation for DPO services. In this case, individual skills can be combined so that several individuals, working in a team, may efficiently serve their clients. Such organisations offer DPO as a service.

Does my organisation need a data protection officer?

The office of the DPO is a statutory creation. Having looked at its tasks, you might ask- do I need one? Article 37 of the GDPR states that controllers and processors shall designate a DPO. Interestingly, it provides instances where a DPO must be appointed, but not where it is not necessary to do so. According to article 37 GDPR, appointment is necessary where:

1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.

However, GDPR Article 37.4 states that in all other instances, a organisation may voluntarily appoint a DPO or do so if required by member state law. 

Section 38 of the German Federal Data Protection Act (BDSG) provides that the controller and processor shall designate a data protection officer if:

• they constantly employ, as a rule, at least 20 persons dealing with the automated processing of personal data;
• the controller or processor undertake processing subject to a data protection impact assessment pursuant to Article 35 of Regulation (EU) 2016/679;
• they commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research, […] regardless of the number of persons employed in the processing. 

Misconception:

Every German business needs to appoint a DPO.

Clarification

Under the BDSG in Germany, your business must appoint a DPO if it:

• employs at least 20 persons;
• carries out the automated processing of personal data or processing subject to a data protection impact assessment;
• commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research. 

Under the GDPR, organisations need to appoint a DPO if:

• they are a public authority or body, except for courts acting in judicial capacities;
• their core activities consist of processing which require regular and systematic monitoring of data subjects on a large scale;
• their core activities consist of processing special categories of data on a large scale or personal data relating to criminal convictions and offences.

Can I appoint an employee within my organisation as DPO?

Misconception

Anyone with the relevant knowledge within my organisation can be its DPO.

Clarification

According to article 37.6 of the GDPR, the DPO may be a staff of the controller or processor. A DPO may also fulfill the task on the basis of a service  contract. However, article 38.6 states that an organisation must ensure that the duties of its DPO do not result in a conflict of interests. Article 38.3 states that the DPO shall:

• not receive instructions regarding the exercise of its tasks;
• not be dismissed or penalised for performing its tasks;
• directly report to the highest management level.

Conflict of interest

A conflict can arise where, the DPO also determines the means and purposes of the processing of personal data. For instance; a Chief Information Security Officer will often implement measures to secure data, eg. establishing access controls. Steps taken towards securing data can also qualify as processing e.g. the pseudonymisation and encryption of data. Therefore, it would create a conflict of interest where the Officer determines the means of processing, and as DPO, also has to reach a conclusion that the means of processing is  non-compliant with the GDPR.

In September, 2022, the Berlin Supervisory authority issued a fine of €525,000 to an e-commerce company. An employee in a managerial position was appointed as DPO. The company appointed a data protection officer who was to independently monitor decisions he had taken  in a different capacity. The Authority stated that a data protection officer cannot both monitor compliance with data protection law and co-decide about it. Such self-regulation contradicts the independent function of a DPO supposed to be responsible for data protection compliance within the company.

The WP29 in its Guidelines on Data Protection Officers (DPOs) states that ‘… conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing’. 

Measures to avoid DPO conflict of interest within an organisation

Controllers and processors can put measures in place to avoid conflict of interest when appointing an internal DPO. The WP29 provides a list of measures in its Guidelines on DPOs; however, the list is not exhaustive. Organisations should continue to avoid conflicts of interest by any means necessary. The measures offered by the WP are that organisations should:

• identify the positions which would be incompatible with the function of DPO;
• draw up internal rules to this effect in order to avoid conflicts of interests. Drawing up rules helps management stick by them;
• include a more general explanation about conflicts of interests
• declare that their DPO has no conflict of interests with regard to its function as a DPO, as a way of raising awareness of this requirement;
• include safeguards in the internal rules of the organisation and ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed […]. In this context, it should also be borne in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally

Summary

The GDPR specifically provides for the office, appointment, position, tasks and duties of a DPO. Whether or not you need one will depend on factors stated in the GDPR. It will also depend on the respective applicable national data protection laws. When appointing an employee as your DPO, it is also important to assess the possibility of a conflict of interests. Internal DPOs are more prone to conflict of interests since they are saddled with other tasks in the organisation. Organisations should be mindful of how tasks will prove incompatible with the independent oversight of the DPO.

No specific section of the GDPR deals with the liabilities of a DPO around ensuring compliance. This is because controllers and processors are liable for non-compliance at all times. Understandably, an officer who is able to execute their tasks without fear is more likely to act independently. In addition, because DPOs do not make management decisions or determine the means and purposes of processing, they could not possibly be liable for those decisions. According to the Guidelines of WP29, a DPO could still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct). 

If you would rather appoint an external DPO or need help in determining whether to appoint one, contact us for a tailored assessment.

The post Misconceptions about the role of a Data Protection Officer (DPO) appeared first on TechGDPR.

This can either be an internal position, or can be assigned based on a service contract. Any assignment of a DPO should be free of conflict of interest, and should report to the highest body in the organisation. While a DPO could also have another position in the company, this means that it can not be combined with many other roles, such as CTO, CEO, CMO or anyone in a department with an interest that is not aligned with data protection. The DPO must have the freedom and independence to independently report breaches to the authorities.

DPO as a Service/External DPO

Unless you represent a large organisation, it is usually much easier and more cost efficient to assign an external DPO with a service contract to monitor your compliance for you.

TechGDPR offers DPO services based on a monthly contract, where a certain amount of service hours are included every month. A DPO from TechGDPR is not only experienced and skilled, he or she also has the technical know-how to talk with you on a technical level, and is your trusted advisor for any privacy and data protection related matters. It’s not just about compliance, it’s also about doing the right thing for your data subjects and your organisation, and TechGDPR helps you with that.

The key tasks of a DPO under the GDPR, include the following activities:

• Informing and advising the data controller or the data processor and the employees who carry out processing of their obligations.
• Monitoring compliance with the GDPR, with other provisions and with the data protection policies of the controller or processor.
• Assigning responsibilities, raising awareness, and training of staff involved in processing operations.
• Performing or leading GDPR related audits.
• Performing or providing advice about data protection impact assessments.
• Cooperating with the supervisory authority.
• Acting as the contact point for the supervisory authority on issues relating to processing.
• Be responsible for prior consultations.
• Having due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Beyond the tasks specified in the GDPR, a TechGDPR Data Protection Officer will help you with many other things as well: handling subject access requests, change advisory and keeping you up to data about technology-related GDPR matters.

The post How to appoint a data protection officer? appeared first on TechGDPR.

Do I have a website? Do I use analytics for that website?

It seems obvious, but before considering the risks of any platform, any peer-to-peer network, or even any business model, consider your website. On your typical website, information is being collected about who is visiting. This could be as mundane as basic analytics, or a even standard email list. Depending on how this information is gathered (and how consent to share data is established), it’s possible to be in possession of what the GDPR classifies as personal data. This is a problem that can easily be solved if attention is paid to web analytics early on.

Do apps impact the privacy of my blockchain network?

It could be your own app, or it could be someone else’s. Many bitcoin exchanges, for example, are very vulnerable to hacking, raising the chances of losing the personal data of their users. Conversely, more traditional financial institutions have an interest in monitoring certain blockchain activity, especially cryptocurrencies. This creates a financial incentive to keep an eye on the size of crypto markets, as well as their weaknesses. Having the ability to identify data controllers in the event of a breach is an important step towards improving application security, particularly for blockchain companies.

Do I have a contingency plan in place if a regulator approaches me?

Let’s assume that you found a startup using blockchain technology, and are making meaningful efforts to comply with GDPR regulations. Is there someone in your organization who can prove this? For reasons unanticipated, regulators may need to inquire about your data storage practices. If that occurs, having someone assigned to providing key information is critical. If you cannot do this (and show it on a technical level), difficulties can quickly arise. To that end, it is important to ensure that companies have defined internal guidelines and contingency plans concerning data security in general. These guidelines can then be pragmatically applied to how blockchain technology is being used. It may be important to distinguish between broader company practices and a particular blockchain project. All of these needs require the effort of more than one person or department, but can be much better coordinated with the help of a Data Protection Officer. 

Am I or any of my B2B Partners working with end users?

Even if your startup isn’t working with end users, one of your partners might be. B2B transactions can end up involving some degree of personal data depending on the partnership.  It’s good to be aware of this as it concerns your own partnerships. A common assumption is that unless a blockchain company is not purely made for ordinary consumers, it does not have to worry about personal data or data security as it relates to EU citizens. This is a myth. Though there is less likelihood of having trouble, the trouble that a B2B product could have is also less clear, varying from case to case.  There are often straightforward specifications surrounding different cases, especially as it concerns B2B marketing.  But if a company is to comply, it must know what these specifications are.

What tools am I relying on to conduct my business?

This could apply to digital tools or standard hardware. Blockchain platforms, whether on servers or smartphones, require the interaction of many different devices.  Having at least some idea of device security is the key to maintain the integrity of your blockchain network, especially when it comes to IoT products, which pose a data security risk if they are not properly patched. Though blockchain can also potentially improve IoT security, articulating a concise strategy that also shows compliance takes some time.

Do I really need a DPO? If so, how often?

As already mentioned, DPOs at companies provide regulators with the information they need when questioned, but that isn’t their only function. They also do a great deal of important work for companies undertaking any significant data processing. In Germany, for example, companies of a certain size are now required to have DPOs. If a full-time DPO hire isn’t necessary, companies can also outsource DPO work to trusted third parties. What’s most convenient for blockchain startups is typically to use the services of a blockchain DPO. This way, the DPO is already familiar with the technology in use, as well as understanding GDPR requirements.

Nearly all blockchain startups are affected by at least one of the above scenarios. In each case, being prepared is far easier and far less costly than being hesitant.

To stay up to date on how the GDPR affects technology, follow TechGDPR on Twitter.

The post Blocks Ascending: The GDPR Checklist for Any Blockchain Project appeared first on TechGDPR.

GDPR compliance mandates can be tricky to interpret for companies handling advanced technology. For leaders in tech, it can be tempting to look at the new rules laid out by Europe’s GDPR and seek a simple, one-size-fits-all solution to the problem of sustained compliance. As any good CISO will tell you, however, such solutions do not exist. Instead of approaching the GDPR as a box to tick, a hurdle to jump, or even an eloquent privacy agreement with an anxious little ‘I agree’ button at the bottom, it is best to see GDPR compliance for what it truly is – a process, not a product. The price of not doing so can prove as much a threat to a company’s competitive advantage as it is to its ability to avoid those 20 million euro fines.

The Current Perception

Proof of perception impacting preparedness can be found everywhere. Often presented in the form of regulatory horror stories, it is perhaps little surprise that the rollout of the GDPR has caused many businesses to react with a mix of fear, frustration, and at times, outright confusion. This mindset has already led to bad results. With half of affected companies predicted not to be fully GDPR compliant by the end of 2018 and 60% of affected US companies being unprepared, it is painfully apparent that a fog of reluctance still hangs in the offices and meeting rooms of more than a few vulnerable firms. Companies interpreting new mandates as something that can be cleaned up with a bit of legal paperwork and some new privacy updates is a mistake. In fact, practical measures for integrating the compliance process into daily operations will make businesses more competitive, rather than less.

The Scope of Work – Beyond Only Tech

Whether collecting user consent, appointing a DPO, or identifying sensitive data, this consultancy recognizes that each company has different needs in terms of GDPR compliance, and each case involves its own unique scope of work that must be identified. GDPR compliance is about tech, but it’s not all about tech. When we first speak with companies, we are looking to understand several other important factors before diving into their use of technology. We initially need to map out the scope of their compliance issues. Some companies are well on their way, but other companies have problems that go beyond the GDPR. In these cases, going through the compliance process can help with planning projects, communicating across teams, and measuring long-term success. If you can measure key performance indicators, you can be GDPR compliant.

Regardless of company size, sector or current compliance needs, these are the four primary questions we ask ourselves as we begin providing support to the compliance processes of the companies we work with:

What has the company done before in service to data protection?

Does the company have methods in place to secure the privacy of their customers, or is data being collected without a consistent plan for what will be done with it later? Has the company considered the human, as well as the financial cost of data breaches? Do they have team members who understand, through lived experience, the security concerns of their customers? The more complete the answers to these questions, the more beneficial any risk assessment will be to the company.

Is the company’s leadership willing and able to make necessary changes?

Data protection may require a change in business practices, and some team leads may not be at ease with the pace or direction of such changes. Data protection may necessitate changing vendors, hiring a Data Protection Officer, or spending time on training essential staff to meet new challenges. All of this costs time and money, which must be accounted for. Someone with the authority to devote resources to compliance needs to be willing, or else there will be significant delays to the compliance process.

What is the company’s management structure like?

What sort of project management processes have been adopted? Are there any processes in place to deal with time-sensitive issues? What are they? When employees spot problems, is there a defined process for reporting their concerns? How does the team usually respond?  Companies that ignore critical vulnerability reports may be in for a shock when they read about the responsibilities of a Data Protection Officer, including being a point of contact for Data Protection Authorities that must be notified about breaches even when there is no customer impact.

What role should software play?

Many companies may be familiar with a particular kind of software that they would like to use in order to keep their compliance protocols consistently monitored, maintained, and documented.  For these purposes, software can be fantastic. It can scan large systems of data, support project management goals, assist in data-mapping, and streamline certain administrative tasks. That being said, even the best programs cannot train your people, design your products, or configure your data collection practices to automate subject access requests. Here, human-led procedural oversight must be instituted. Software can enhance well-established compliance practices – not replace them.

Continuing the Process

When it comes to GDPR compliance, perhaps the easiest thing to lose sight of is the fact that just like technology, the law is constantly evolving in response to people’s wants and needs.  Keeping a vigilant eye on existing procedures and being transparent to customers about data usage is something that any capable company should already be doing – even without the GDPR. But more must be done to maintain compliance through an ongoing process. As technologies reliant on Blockchain or Big Data continue to develop, so too must our understanding of how to implement compliance within new platforms and services.

At present, we must relegate thoughts of data protection as a one-time event to the cobwebbed catacombs of a pre-GDPR world. New laws outside of Europe demonstrate that the public demand for privacy isn’t going anywhere. Companies that rise to the occasion and recognize GDPR compliance as an ongoing process in service to their customers rather than a patchwork appeasement product for regulators will have everything to gain. It appears no agree button can offer that yet.

To stay up to date on how GDPR affects technology, follow TechGDPR on Twitter.

The post GDPR Compliance: It’s a Process, Not a Product appeared first on TechGDPR.