Q&A ON DATA PRIVACY WITH BEEKEEPER DPO DR. AMIR AMERI
How secure is your business data protection? Are you prepared in the event of a data privacy audit? In light of GDPR requirements, Beekeeper’s own Data Protection Officer (DPO) Dr. Amir Ameri, answers some of the most pressing questions regarding data privacy and secure internal communications for your organization.
Q: What role does a DPO play in data privacy risk management?
A: From a governance perspective at a company, you have layers of risk management, risk control, and audits. All of the these functions act to govern the business data and provide data protection and data privacy for a company. Risk controllers write the policies; they are the owners of what we are supposed to do. They write the rule book. Risk managers are actively trying to abide by this rulebook.
For example, a risk manager is responsible for reinforcing a clean desk policy, and so not maintaining a clean desk will get an employee cited. An audit performs a control of what is a defined scope. A DPO is defined as a combination of all these three roles, focusing on the processing of data.
Q: Are there advantages to having an external or internal DPO?
A: One of the main attributes of the DPO role is that it is an independent role. The DPO doesn’t have to be an employee of the company. The important part is that the DPO remains the single point of truth from the service provider. In this sense, the DPO role can be one held inside or outside of your company.
Q: What is a Data Processing Agreement?
A: A DPO signs a Data Processing Agreement with the customer. This agreement outlines exactly what each party is legally permitted to do and not to do with business and customer data. Importantly, the Data Processing Agreement also covers what the technical and organizational measures implemented are for business data protection.
Q: What key principles does data privacy revolve around?
A: There are two main principles to consider with data privacy:
- Purpose: Identify what the purpose is for individuals giving access to their data.
- Consent: If a company wants to do anything outside of the stated purpose, the DPO needs to assess whether or not you have user consent.
For example, a DPO could approach a marketing team if any names are on an email list from outside the company. Another example is related to content permissions. Just because content has been cleared to be on another company's website doesn’t mean you have permission to post it on social media channels, without considering copyright and intellectual property rights.
Q: How is a DPO different from a CISO?
A: A significant part of the DPO’s work is consulting internally to management and employees, and providing the necessary educational awareness. Always remember that the DPO’s main purpose is to assess data privacy, and is very specialized. The CISO (Chief information Security Officer) thinks in a more broad view about business, stakeholders, IT, etc.
In contrast to the DPO role, the drivers for the CISO role are not only about being GDPR compliant. An important differentiating role is the legal mandate of the DPO compared to that of the CISO. A DPO must, and is obligated by law, to put the privacy and protective interests of obtained data in the forefront of the company's business interests.
Q: Does a DPO really look after the data privacy interests of customers?
A: Quite often, customers want a confirmation from a DPO that things are in order at Beekeeper when it comes to our internal communication and business data protection practices. The DPO is the door into that truth. If you as a company use the services of another company, where you have the personal data of your employees held within a third party company, you are obligated by your auditor to show that you have the risks of this third party company under control.
Let’s say company X is our customer, and Beekeeper is a third party provider to company X. Though Beekeeper is GDPR compliant, company X will be held accountable by their auditors for keeping their own company GDPR compliant.
Q: What’s the most common request a DPO might receive related to business data protection?
A: On a daily basis, I receive at minimum two to three requests asking me as the Beekeeper DPO to fill out questionnaires and Q&As for a partner or customer’s auditors.