Greetings from London!
I was in Canary Wharf yesterday for the annual Data Protection Day hosted by EY. I had the pleasure to open the morning session and chair a panel of EY privacy senior management with Angela Saverice-Rohan, CIPP/US (U.S.), Fabrice Naftalski, CIPP/E, CIPM (France), Ian Williamson (U.K.), Jyn Schultze-Melling (Germany) and Tony De Bos, CIPP/E (the Netherlands) to discuss the "state of play" in their respective jurisdictions ahead of the GDPR coming into force in May. There is clearly a great deal of diverse activity in terms of preparations and GDPR awareness.
I would make one particular mention, to a comment made by Naftalski. He has been observing, through client work, that several businesses are looking at BCRs as an "onboarding accelerator" for GDPR compliance, as a demonstration of accountability in and of themselves. This is interesting, in that BCRs are taking on a whole different value, in addition to their original data-transfer purpose.
There was also an interesting panel discussion from industry clients on the role of the DPO and the different models affecting the positioning and functioning of DPOs from different organizational and strategic perspectives. One of the panelists discussed the initial inception of DPO functionality, which was incorporated into the information security function. After an initial learning curve, and following a broad strategic consultation, the company took the decision to implement a privacy and security working group comprising representatives from across the different functional departments, reporting into the executive board.
Taken their business model, it was deemed that the two functions, privacy and security, made up a significant component of their overall governance strategy, resulting in the working group being headed up by an appointed governance director responsible for both security and privacy — and by extension — fulfilling the role of the DPO. In another example, we heard about the creation of a global privacy steering committee headed up by a chief legal officer, working with a CPO responsible for the tech side of the business, who in turn is advised by a special in-house counsel on GDPR matters.
When we say there is no "one size fits all," we mean it. There are multiple variations of how DPO functions are being deployed.
Speaking to EY’s approach, they too have a Global GDPR working group that aims to provide strategy and guidance for the member firms across the four continents where they are present, determining the requirements for DPO appointments across the network of offices: these are extensive requirements due to the nature of EY’s business scope. In what concerns Europe, the internal message is clear; member firms need to formally appoint a DPO, or one to serve several smaller member firms where practical.
All in all, while the GDPR remains unchartered waters in many respects, the business and privacy professionals attending yesterday were privy to some great insights from GDPR programs in action; there were plenty of organizational initiatives shared that might well serve as benchmarks for others present. GDPR starts on 25 May and so begins the continuation of that journey.
One thing seems a given, there is no return ticket on the table.
If you want to comment on this post, you need to login.