Cyber Security: Third-party data protection takes the pressure off

We have just “celebrated” the first birthday of the EU general data protection regulation (GDPR) and the supporting legislation in Ireland, the Data Protection Act (2018). It has been a busy year - and longer for those who were preparing - when it comes to personal data and the appropriate care of that data.

Many organisations have determined that due to the nature of the personal data being processed, the manner of that processing or the fact that they are a public sector body (PSB), they must have a data protection officer (DPO). Some other organisations have determined that it is appropriate for them to have a DPO from a good governance perspective, even if they are not required to have one.

The role of the DPO is quite specifically defined in the GDPR and is particularly onerous on smaller PSBs due to the specific role requirements and also the seniority expected of the role holder. The DPO is expected to be able to keep the most senior level of management appraised of the levels of compliance of the PSB and also manage the compliance of the various sections in the PSB and their privacy programmes.

The GDPR foresaw the issues now being recognised by many PSBs that they would be unable to justify a full-time staff role that was independent of any other role that would be seen as a conflict of interest for the DPO. The GDPR provides for organisations to outsource the DPO role to suitably qualified third-party service providers such as Information Security Assurance Services Ltd (ISAS).

Article 37 of the GDPR outlines some of the specifics with regard to the Designation vof the Data Protection Officer. Of particular note is are items 5 and 6. These refer to the competencies expected of the DPO and the fact that the DPO role can be fulfilled as part of a services contract by a third party:

“5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

“6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.”

It is on this basis that we at ISAS have developed our DPO as a Service offering. In ISAS, we have a proven team who have the expert knowledge of data protection law and practices and have the ability to fulfil the tasks referred to in Article 39. Sinéad McDonald, our head of compliance and regulatory affairs, is a solicitor with 17 years of expertise in the area of EU regulation and compliance. The ISAS DPO team have practical experience in the area of data protection as well as completion of either the King’s Inns Advanced Diploma in Data Protection Law or the Law Society’s Certificate in Data Protection Practice qualifications.

ISAS has been working with clients in the protection of personal data and other information assets for many years, and this is now more formalised under GDPR rather than created because of GDPR. We are constantly developing our knowledge in this area and work with our clients to implement practical compliance regimes.

As the GDPR and the Data Protection Act (2018) are so new, there is still some level of interpretation to be applied. The lack of precedent to refer to is challenging, particularly in complex data protection environments. The ISAS team are working closely with many of the data protection specialists in the leading law firms in Ireland and Britain to ensure the compliance of the ISAS clients.

When an organisation makes contact with ISAS regarding our DPO as a Service, our first step is to meet up with the prospective client to determine the type of service that would be appropriate for them. Based on the maturity of the data protection environment in the client, and their scale, ISAS will create a proposal for the client outlining the costs and also the resource requirements on the client’s part over the coming year.

In some cases, our service is used to quickly establish a compliant data protection environment in the client and then to develop in-house expertise and role holders in the client so that they become self-sufficient in the future. In other clients, it is their intent to keep the role as a service contract-based one.

A key part of this engagement with ISAS is awareness training and education for staff in the organisation with regard to their processing of personal data in terms of obligations and responsibilities. This awareness must also be increased at senior management level to ensure that they fully understand the responsibilities they have as controllers or processors.

The ISAS specialist assigned to the client will be formally registered by the client as data protection officer with the Data Protection Commission.

Martin Kerrigan, head of risk and assurance services in ISAS, is acting as DPO to a number of clients in the financial services area. Martin’s background in information security and qualifications in data protection has been a major boost for these clients.

“Being able to understand the technical and information security-related challenges of new and existing systems when carrying out DPIAs or risk assessments is seen as a major asset by our clients,” said Kerrigan. Julian Smith is one of our senior data protection specialists working with Martin on a number of these DPO as a Service engagements.

One of the strongest messages in feedback that ISAS gets from clients availing of our DPO as a Service offering is the breadth of skills they get from ISAS. We have a team of highly qualified specialists who are constantly advancing their skills in the area of data. This combined with our traditional areas of expertise in information security means we offer a very wide breadth of competencies under one roof to our clients.

When it comes to performing data protection impact assessments, risk assessments, review of systems claiming privacy by design and privacy by default, processor and third-party audits and so on, our infosec and data protection specialists can deliver on all these areas.

While DPO as a Service may not be a requirement, ISAS is in a position to provide a wide range of information security and data protection advisory and support services to our clients. Tom Gilligan and David Hickey are key members of the ISAS data protection team and deliver services including DPO as a Service to clients in both the public and private sectors.

A number of start-up companies in the fintech sector have engaged ISAS as part of their data governance commitment. This has also been a key factor in demonstrating to their stakeholders (investors and clients) that they are taking a mature approach to data governance. This is often a combination of the Chief Information Security Officer as a Service and the DPO as a Service.

If these services are something that may be of interest, please drop us an email at info@isas.ie and we would be delighted to meet up to discuss your requirements