Safeguarding Your Data Assets with an Outsourced Data Protection Officer

By Aaron Martin - 27 Aug 2018

Do you know what your data is worth?

These days, the value of data cannot be understated. In fact, you’ve probably heard the idea tossed around that your data is your most valuable resource. For many businesses, SaaS or otherwise, this is arguably quite true. But if you’re hoping for an equation that you can use to actually quantify your data, good luck - even the guys at MIT Sloan have only begun to scratch the surface of that idea. One one side there’s the positive value that can be gained when a business harnesses that data effectively; on the flipside, there’s the tremendous cost of losing or mishandling data.

Suffice to say that the value of your data - whatever it may be - has gone up considerably in recent years. Mounting concern worldwide about data privacy has led to the enactment of strict regulations that place a daunting responsibility on businesses to secure their data to a very high standard. Businesses of all sizes (yes, yours too!) must now demonstrate that they have systems in place to protect the data they handle in order to satisfy not only their legal obligations but also the expectations of their customers and shareholders. Those that don’t do so risk losing market share to their better-prepared competitors.

As a result of this trend toward better data protection standards, more and more businesses are looking to professional data protection officers to help leverage this opportunity to gain the advantage.

The Data Protection Officer

Largely unknown and hardly in demand three years ago, skilled data protection officers (aka DPOs) became a hot commodity in the months prior to the EU’s General Data Protection Regulation going live in May of 2018. The reason? A qualified and knowledgeable DPO can understand and articulate the complex laws and regulations that a business must adhere to even those ‘grey areas’ in legal jurisdiction that arise when an international business needs to comply with multiple, overlapping, and sometimes contradictory laws.

Moreover, the DPO can assist an organisation with the complicated process of updating its data privacy and security: assessing the risk of a data breach and the impact of said breach, developing workable strategies and policies for data processing, and even training staff to act accordingly. With data at such a premium, you can imagine how valuable such expertise has become.

Why It Makes Sense to Outsource the DPO Role

While larger enterprises may be willing and able to employ an onsite DPO, doing so may not be practical for the average business. Fortunately, outsourcing the position is a viable alternative that has several advantages:

  1. The DPO position requires specialist skills that may not be readily available locally - especially if the IAPP’s (International Association of Privacy Professionals) prediction that we are facing a shortage of suitably qualified DPOs is correct (They anticipate a demand of 28,000 in the Eurozone alone, and a total global demand of seventy-five thousand).

  2. Outsourcing the DPO role will both save time and spare expenses for businesses. Above all, by outsourcing the role of the data officer, a business can derive benefits by way of cost, expertise, speedy implementation and scalability.

  3. Many small-to-medium enterprises (SMEs) who not under any regulatory compulsion to appoint a DPO may still decide to outsource the position to a service provider in order to qualify to bid for tenders floated by large public sector undertakings.

  4. Small sized companies often find it hard to grapple with the complexities involved in fully understanding data processing and data security operations. Outsourcing the role of the Data Protection Officer may be the best option for them.  

  5. Another important reason for outsourcing the role is the fact that in the case of an external service provider there is no conflict of interest between the DPO and other business activities.

  6. Outsourcing the role of a DPO will help businesses apply the best practices with regard to data security, helping them both achieve and maintain regulatory compliance with.

With the value of data at an all-time high and the risks of mishandling that data incalculable, partnering with a data protection officer who can advise them on the best (and most cost-effective) ways to meet their needs makes good business sense for the majority of SMEs. Interested in finding out more about what a virtual data protection officer can do for you? One of our consultants would be glad to fill you in. Simply visit our contact page and drop us a line and we’ll get in touch with you to answer any questions you may have.

Canada’s New Data Breach Regulations: What You Need to Know

By Aaron Martin - 27 Aug 2018

Got customers in Canada?

Consider this your chance to get a jump on the newest update to Canada’s new privacy law PIPEDA (officially known as The Personal Information Protection and Electronic Documents Act). Effective November 1st, 2018, Canada will enact its Breach of Security Safeguards Regulations under PIPEDA, which updates existing privacy laws and establishes new legal requirements for private sector businesses who experience a security breach.

Although it was published back in April of 2018, the PIPEDA update hasn’t gotten a lot of press - but that doesn’t mean businesses can plead ignorance come November if they're not compliant.

If you believe your business operations fall under PIPEDA’s jurisdiction, here’s how you can prepare for the new law:

  • Prepare to report all security breaches - Businesses will be required to notify the Canadian Privacy Commissioner and their customers about ANY security breach that poses a “risk of significant harm” to an individual. Doing so will involve conducting a risk assessment to determine if the data is sensitive and if it could harm affected individuals. Details of the breach must be reported in writing - both to the Canadian Privacy Commissioner and to the affected individual(s). In addition, any third-party organisations that can assist the business in “mitigat[ing] harm to affected individuals” must be notified as well.

  • Implement strict recordkeeping - Obviously, to comply with the above, businesses need to know what data they have, who is handling that data and where it is going, etc. Moreover, in the event of a breach, PIPEDA will require businesses to retain a record of any breach for at least two years after it occurred. Running a tight ship with regard to data management is the best way to comply with the new regulations, increase trust with your customers and avoid the financial consequences of a breach.

  • Update policies & procedures - For those organisations (especially startups) that haven’t drafted a data breach policy yet, now is an excellent time to get that wrinkle straightened out because it could become a bigger one come November. If you already have data breach documentation in place, you are ahead of the game but you likely will still need to update it to reflect the new regulations, including mandatory reporting.

  • Draft a breach response plan - Do you know who will be your first responders to a data security breach? Who contacts the affected parties? In order to respond to a breach in a way that will potentially reduce the damage, and keep you out of trouble with the federal government, having a breach response plan is a must.

  • Train staff - All personnel need to be aware of the new PIPEDA regulations and what it means for them, regardless of their role. That’s not to say they need to read the law in full, but they should know their role in keeping your data secure. This includes understanding the risks that may lead to a breach.

Note - it may interest you to know that not all territories are affected...if your business activities are located solely in Alberta, Quebec, or British Columbia, you are already beholden to their existing equivalent legislation.

Naturally, the best way to approach PIPEDA is to keep your data secure in the first place, but preventing a security breach requires more than just a concerted effort by all staff. Sound data security also requires a comprehensive, systematic approach that not all organisations are equipped to deliver. As we saw when the European Union’s General Data Protection Regulation went live, small-to-medium enterprises in particular aren’t always equipped with the knowledge base to effectively combat the myriad risks out there, nor do they have the legal expertise to address their requirements under each new piece of legislation that comes into force.

If you have questions about your regulatory responsibilities or how to put together an effective data breach response, our team of experienced consultants can help. Feel free to get in touch with us via our 'Contact Us' page for any data privacy questions you may have. We look forward to chatting with you.

The Benefits of Outsourcing Your Data Protection Officer

The Benefits of Outsourcing Your Data Protection Officer

Hiring a DPO is an important step for your business, so you naturally want to find a professional who offers an optimal balance of skill, experience, cost, and availability. In this article, we discuss the benefits of outsourcing your DPO, what the onboarding process typically looks like, and what services our team of privacy consultants can offer you.

Twitter Ordered to Change Terms and Conditions After Court Ruling in France

Twitter Ordered to Change Terms and Conditions After Court Ruling in France

Twitter was fined 30,000 euros in France and is now required to change the way it gets permission to use data if obtains from users. This, after a successful case made by UFC Que Choisir, a not-for-profit consumer group that took issue with Twitter’s terms and conditions. The French High Court is expected to make rulings in similar cases by UFC Que Choisir against Facebook and Google.

GDPR’s Mandatory EU Representation... Are You Exempt? Find Out Here.

GDPR’s Mandatory EU Representation... Are You Exempt? Find Out Here.

Regardless of the service you’re providing, you’re now required to comply with the European Union’s General Data Protection Regulation (GDPR) if any of your customers or end users are from the EU. For organisations that do not have a physical presence in the Eurozone, this means appointing a representative if not found exempt under Article 27. Find out if this requirement applies to you.