DATA SECURITY: A DAY IN THE LIFE OF BEEKEEPER’S DPO
In the post-Facebook data security landscape, GDPR compliance and personal data privacy are top-of-mind. For any company who works with digital internal communications and processes any customer data, the GDPR requirements extend to both internal and external business communications.
A Data Protection Officer (DPO) plays an essential role in a company’s data security strategy, entrusted to protect and secure internal communications for both employees and customers. Preparing for external audits, controlling access permissions, and prepping for data security breach scenarios––it’s all in a day’s work for a DPO.
As the job title suggests, the DPO has the responsibility to:
- Act as an independent monitoring and controlling entity to ensure customer data protection
- Act as a liaison, consultant, and incident manager for internal and external stakeholders
What is a Data Protection Officer (DPO)?
The DPO concept originated in the EU. Though not initially mandated, some countries––Germany, for example––were early adopters and made having a DPO a company requirement for customer data protection. DPOs had to be registered with the government, possess a keen understanding of IT, and a background in law.
However, before GDPR, the role was a loosely-enforced requirement. GDPR regulation mandates that companies work with a DPO. Key credentials for being able to perform the DPO role include the ability to perform data security and customer data protection assessments and data privacy consultancy.
How a DPO Monitors and Ensures Data Security
There are a number of data security processes where the DPO is the owner. For example, at Beekeeper, any request to access customer data requires review and approval according to the DPO approval process. In addition, GDPR compliance requires that any product being put on the market is assessed for data privacy. For example, when you are using a feature that is requiring input of personal data, you must be notified of the purpose, or why your personal data is required. It is the DPO’s role to ensure that the obtained personal data is also only processed by the application for the purpose obtained.
Anywhere data privacy is a concern, it is the DPO’s role to allow or deny access in regards to viewing, extracting, or reporting customer data. This may be in the form of ensuring only authorized employees of our customers have access to requested data. Think of a DPO as insurance for a company’s customers. When you get insurance for your car, you are then insured as a driver. That doesn’t stop you from having accidents, but it’s an essential layer of protection.
Five Pivotal Aspects of Customer Data Protection as a DPO
When it comes to data security and secure internal communications at company, a DPO has the following responsibilities:
1. Data privacy consulting.
2. Continuous auditing and controlling of cybersecurity and internal communications.
3. Customer data protection and serving the data privacy interests of the customer.
4. Interfacing between the company and external entities like Information Commissioners.
5. Making sure internal communications and data processing is sufficient for efficiency of reviews and other requirements of authorized access to data.
Data Privacy Impact Assessments
Privacy Impact Assessments are also a major part of a DPO’s position that specifically impact GDPR’s ultimate goal of privacy by design. Conducted by the DPO, privacy impact assessments hold the data privacy interests of the customers within the company as the highest priority. For example, if we have a new feature at Beekeeper, there is a spreadsheet that engineers fill out. As the DPO, I assess this information and reject it if there’s any deviation to the defined purpose stated to the customer or their consent in how their customer data will be handled.
Always remember that the DPO must work for the customer’s data protection and privacy interests above its employer’s interest.