Tag: DPO

DPO Required at Buckingham Palace 

Imagine answering “Buckingham Palace” when some asks you where you work! 

The Royal Household, the collective departments that support members of the British Royal Family, is looking for a Data Protection Manager. According to the job advert

“No two days will be the same and the unique nature and diversity of our information will challenge you. But you’ll have the opportunity to make an impact at the heart of this fascinating organisation.” 

Essential criteria include, amongst others, a relevant qualification in Data Protection, extensive practitioner experience within a complex organisation and broad knowledge of management processes and IT delivery. 

The salary is £50,000. If that does not persuade you, other benefits include 20% off the Royal Collection Trust Shops and complimentary admission tickets across all our locations! 

The deadline for applying is Sunday night (16/02/2025, 23:55). 

Are you a privacy professional wishing to advance your career in 2025? The Advanced Certificate in GDPR Practice is designed for experienced DPOs seeking to refine and expand their DPO skills and expertise.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Saudi Arabia’s New Data Protection Law Comes into Force on Saturday

Saudi Arabia’s first ever comprehensive  Personal Data Protection Law (PDPL) comes into force this Saturday (14th September 2024). The new law regulates the collection, handling, disclosure and use of personal data. The Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, has now finalised the following documents following a period of consultation:  

Guidelines for Binding Common Rules: These guidelines aim to specify the obligations of the parties involved in the transfer when personal data is transferred or disclosed to a country or international organisation that does not have an adequate level of protection for personal data. 

Standard Contractual Clauses (SCCs) for Personal Data Transfer: These clauses are one of the appropriate safeguards that Controllers and Processors may use in addition to the Binding Common Rules (BCR) and accreditation certificates from a body licensed by the Competent Authority. 

There are other useful guidelines on the SDAIA website including on personal data destruction, anonymization and pseudonymisation as well as data processing activities records. 

Training for the Data Protection Officer 

The draft rules for the appointment of a DPO have also been finalised. Article 5 of the rules states that the following Data Controllers need to appoint a DPO: 

  • A Public Entity that provides services involving processing of personal data on a large scale 
  • A Controller whose core activities are based on processing operations that, by their nature, require regular and systematic monitoring of data subjects 
  • A Controller whose core activities are based on processing of sensitive personal data. 

Whilst there is no requirement for others to appoint a DPO, in our view, it is good practice to do so as it will help drive compliance forward especially in the initial phases of implementing the new law. 

The rules places great importance on training for and by the DPO. Article 9(6) states: 

“The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.” 

This has to be read alongside Article 4 and Article 8 (above). The latter states that one of the roles of the DPO is: 

“Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.” 

Through our  KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses.  

KSA DPO Appointment Rules Published

Saudi Arabia’s first ever data protection law becomes fully enforceable on 14th September 2024. The Personal Data Protection Law (PDPL) regulates the collection, handling, disclosure and use of personal data. Like many data protection laws around the world, including the UK GDPR, the PDPL contains a requirement for some Data Controllers to appoint a Data Protection Officer (DPO). On 8th July 2024 the Saudi Arabian Authority for Data and Artificial Intelligence (SDAIA), which will initially enforce the new law, published draft rules for the appointment of a DPO under the PDPL.

Who needs to appoint a DPO?

Article 5 of the draft rules states the following Data Controllers need to appoint a DPO:

  • A Public Entity that provides services involving processing of personal data on a large scale
  • A Controller whose core activities are based on processing operations that, by their nature, require regular and systematic monitoring of data subjects
  • A Controller whose core activities are based on processing of sensitive personal data.

Whilst there is no requirement for others to appoint a DPO, in our view, it is good practice to do so as it will help drive compliance forward especially in the initial phases of implementing the new law.

What skills does a DPO require?

Art 4 states that, when appointing a DPO, a Controller must ensure that the following requirements are met:

  • Having appropriate academic qualifications and experience in the field of Personal Data protection
  • Having sufficient knowledge of the Controller’s business and activities that involve processing of Personal Data
  • Having sufficient knowledge of Personal Data breach risks
  • Having sufficient knowledge of regulatory measures for Personal Data protection and other relevant organisational measures for performing DPO tasks.
  • Honesty and integrity, and not having been convicted of any offence involving dishonesty or breach of trust.

Who can be a DPO?

The DPO may be an executive, employee of the Controller or an external contractor. They must be appointed in writing and publicised within the Controller’s organisation.  Their contact details must be published in the Controller’s Privacy Notice.

Article 7 of the draft rules requires the Controller to immediately provide the regulator with contact details of the DPO upon their appointment through the National Data Governance Platform. Interestingly, the regulator has the power  to request replacement of a DPO if it is found that he/she is not competent.

Role and Task

DPO shall be responsible for the following tasks set out in Article 8:


1.     Providing support and advice regarding all aspects of Personal Data protection, including contributing to developing policies and internal procedures related to Personal Data protection at Controller.
2.     Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.
3.     Contributing to reviewing plans of response to Personal Data Breach incidents, and ensuring that such plans are adequate and effective.

4.     Preparing periodic reports regarding Controller activities related to processing of Personal Data, and providing recommendations to ensure compliance with provisions of the Law and its Regulations.
5.     Maintaining the confidentiality of Personal Data and its level of sensitivity, based on its classification and relevant regulatory requirements to determine the adequate level of protection and processing mechanism.
6.     Monitoring the Competent Authority’s issued laws, regulations and instructions and the equivalent, implementing any amendments thereto and informing the relevant departments of the same to ensure compliance therewith.
7.     Collaborating with individuals responsible for implementing activities related to AI ethics to ensure that the requirements of Personal Data protection and Data Subjects’ privacy are met.

Training for the DPO

The draft rules places great importance on training for and by the DPO. Article 9(4) states:

“The Controller shall work on training and developing DPO’s in the fields of Personal Data protection and support them in obtaining professional certificates in this field to ensure raising their efficiency.”

This has to be read alongside Article 4 and Article 8 (above). The latter states that one of the roles of the DPO is:

“Participating in awareness activities, training and transfer of knowledge to Controller personnel regarding Personal Data protection and compliance with provisions of the Law, Regulations and ethics of data handling.”

Organisations doing business in the Middle East need to carefully consider the impact of the new rules on. Thought must be given to the appointment and training of a suitably qualified DPO. Through our  KSA privacy programme, Act Now Training offers comprehensive and cost-effective training from one hour awareness-raising webinars to comprehensive full day workshops and DPO certificate courses

Act Now Partners with Middlesex
University Dubai for UAE’s first
Executive Certificate in DP Law

Act Now Training, in collaboration with Middlesex University Dubai, is excited to announce the launch of the UAE’s first Data Protection Executive training programme. This qualification is ideal as a foundation for businesses and organisations aiming to comply with the UAE Federal Data Protection Law.

This practical course focusses on developing a data protection framework and ensuring compliance with the UAE Data Protection Law’s strict requirements. This is particularly relevant given the recent advancements in Data Protection law in the Middle East, including the UAE’s first comprehensive national data protection law, Federal Decree Law No. 45/2021. 

This law regulates personal data processing, emphasising transparency, accountability, and data subject rights. It applies to all organisations processing personal data within the UAE and abroad for UAE residents.

The importance of understanding this law is paramount for every business and organisation, as it necessitates a thorough reassessment of personal data handling practices. Non-compliance can lead to severe penalties and reputational damage.

The Executive Certificate in UAE DP Law is a practical qualification delivered over 5-weeks in two half day sessions per week and offers numerous benefits:

  1. Expertise in Cutting-Edge Legislation: Gain in-depth knowledge of the UAE’s data protection law, essential for professionals at the forefront of data protection practices.

  2. Professional Development: This knowledge enhances your resume, especially for roles in compliance, legal, and IT sectors, showing a commitment to legal reforms.

  3. Practical Application: The course’s structured format allows gradual learning and practical application of complex legal concepts, ensuring a deep understanding of the law.

  4. Risk Mitigation: Understanding the law aids in helping organisations avoid penalties and reputational harm due to non-compliance.

  5. Networking Opportunities: The course provides valuable connections in the field of data protection and law.

  6. Empowerment of Data Subjects: Delegates gain insights into their rights as data subjects, empowering them to protect their personal data effectively.

Delegates will receive extensive support, including expert instruction, comprehensive materials, interactive sessions, practical exercises, group collaboration, ongoing assessment, and additional resources for further learning. Personal tutor support is also provided throughout the course.

This program is highly recommended for officers in organisations both inside and outside the UAE that conduct business in the region or have customers, agents, and employees there. 

Act Now will be delivering and has designed the curriculum. Act Now Training is the UK’s premier provider of information governance training and consultancy, serving government organisations, multinational corporations, financial institutions, and corporate law firms.   

With a history of delivering practical, high-quality training since 2002.
Act Now’s skills-based training approach has led to numerous awards including most recently the Supplier of Year Award 2022-23 by the Information and Records Management Society in the UK. 

Our associates have decades of hands-on global Information Governance experience and thus are able to break down this complex area with real world examples making it easy to understand, apply and even fun!

Middlesex University Dubai is a 5 star rated KHDA university and one of three global campuses including London and Mauritius. It is the largest UK University in the UAE with over 5000 student enrolments from over 120 nationalities.

For more information and to register your interest, visit Middlesex University Dubai’s website. Alternatively you can Click Here.

Act Now Launches New UAE DP Officer Certificate 

Act Now Training is pleased to announce the launch of the new UAE Data Protection Officer Certificate.  

Data Protection law in the Middle East has seen some rapid developments recently. The UAE recently enacted a federal law to comprehensively regulate the processing of personal data in all seven emirates. This will sit alongside current data protection laws regulating businesses in the various financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. In addition there are several sector specific laws in the UAE which address personal privacy and data security. Saudi Arabia, Bahrain and Qatar also now have comprehensive data protection laws.   

These laws require a fundamental assessment of the way Middle East businesses handle personal data from collection through to storage, disclosure and destruction. With enhanced rights for individuals and substantial fines for non-compliance no business can afford to ignore the new requirements. 

Act Now’s UAE Data Protection Officer Certificate has been developed following extensive discussions with our clients and partners in the UAE and builds on our experience of delivering training and consultancy in the region. The course focuses on the essential knowledge required by DPOs to successfully navigate the UAE data protection landscape. The course will also help DPOs to develop the skills required to do their job better.
These include interpreting the data protection principles in a practical context, drafting privacy notices, undertaking DPIAs and reporting data breaches. 

The course teaching style is based on four practical and engaging workshops covering theory alongside hands-on application using case studies that equip delegates with knowledge and skills that can be used immediately. Delegates will also have personal tutor support throughout the course and access to a comprehensive revised online resource lab. 

Ibrahim Hasan, director of Act Now Training, said: 

“I am really pleased to be launching this new UAE DPO certificate course. This is an exciting time for data protection law in the Middle East. Act Now is committed to contributing to the development of the DPO function in the region.” 

If you would like to discuss your suitability for this course, please get in touch. It can also be delivered as an in house option.

Data Protection Officers and Conflicts of Interest

photo-1539795845756-4fadad2905ec

In May 2018, with the implementation of GDPR, some senior managers (and many junior ones) found themselves thrown into the then unknown statutory role of Data Protection Officer (“DPO”). Two years on, some now have a better understanding of their role whilst others are still battling to manage the many different requirements of the job.

Articles 38 and 39 of the GDPR outline the role of the DPO. They should, amongst other things, be:

  • involved in data breach discussions and investigations whilst being provided with adequate resource to fulfil their obligations;
  • not dismissed for the performance of their duties as DPO;
  • able to offer secrecy and confidentiality to data subjects in relation to data protection matters within the organisation; and
  • actively involved and consulted on the data processing risks associated to proposed data processing activities within the organisation, which are usually highlighted within the Data Protection Impact Assessment (DPIA).

The law is still in its infancy, and remains largely untested in the courts, but a recent case may lead to a few DPOs feeling a little nervous about their role.

€50,000 Fine

The Belgian Data Protection Authority recently issued a €50,000 fine to an organisation after it ruled that the organisation’s DPO had a conflict of interest under Article 38(6) of GDPR. The DPO had been employed by the organisation as the Head of Compliance, Risk Management and Audit in addition to acting as DPO.

A reportable data breach lead to an investigation by the Belgian regulator who sought to dig a little deeper into the organisation’s general approach to privacy compliance.
The investigation focussed on three main potential infringements of GDPR namely:

  1. The duty to cooperate with the data protection authority
  2. The accountability obligations of the organisation in relation to data breach notifications and data protection risk assessments
  3. The requirements related to the position of the DPO

The investigation found that the organisation’s DPO appointment failed to meet the requirements of the legislation as the individual was responsible for the processing of personal data in the areas of compliance, risk and audit and therefore could not independently advise on such matters.

Many data protection experts have interpreted this ruling as preventing any employee who is a “head of department” from carrying out the DPO rule without a conflict of interest, although the situation is not as clear cut.

Conflict of Interests

Whilst the employer will pay their salary, the DPO must be able to act independently and without fear or favour. The Article 29 Working Party’s Guidelines on DPO’s makes reference to a number of roles which would be considered to pose a conflict of interests with the position of DPO namely; Chief Executive, Chief Operating Officer, Chief Financial Officer, Chief Medical Officer, Head of Marketing, Head of HR and Head of IT.
All of these roles involve a significant amount of personal data processing and decision making, resulting in an impossible independent standpoint to be taken on data matters arising as a result.

This ruling presents an opportunity for organisations to review their DPO position.
Both the organisation and the individual must be clear about the role. The job description should be reviewed from time to time in the light of changing roles and responsibilities. This may flag up potential conflicts of interest.

It is common for DPOs, especially in the public sector, to wear many “hats” due to budget constraints. Whilst GDPR does allow this, if there is any doubt about a conflict of interests, the decision-making process should be documented and the position reviewed.
If any mitigating measures are to be put in place to reduce the risk of conflict these should be outlined and reviewed periodically as new risks and processing activities are presented to the organisation.

Data protection and privacy is an ever-changing area of compliance and in the coming years, more case law will be generated as the principles of the legislation are put to the test. With the end of the Brexit transition period approaching and changing uses of technology due to the global coronavirus pandemic, organisations will need to remain alert to potential issues arising from their original GDPR implementation plan.

Samantha Smith is a Data Protection Manager and qualified Solicitor with experience of data protection compliance projects across both public and private sectors. This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online  GDPR Practitioner Certificate course is  fully booked. A few places are left  on the course starting in August.

GDPR and the Role of the Data Protection Officer

canstockphoto16242260_thumb.jpg

The clock has started on the biggest change to the European data protection regime in 20 years. After four years of negotiation, the new EU General Data Protection Regulation (GDPR) will take effect on 25th May 2018.

In the UK, it will replace the Data Protection Act 1998 (DPA). With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, now is the time to start planning (if you have not already started!).

You might be forgiven for thinking that the Brexit vote means that there is no need to worry about GDPR (being a piece of EU legislation) or that its effect will be time limited. The Government has now confirmed that GDPR is here to stay; well beyond the date when the UK finally leaves the European Union.

Section 4 of GDPR introduces a statutory position of Data Protection Officer (DPO) who will have a key role in ensuring compliance with GDPR. But who exactly will need a DPO and what is his/her role? The Article 29 Data Protection Working Party has now clarified this in its recently published guidance (the A29 Guidance) and a useful FAQ. Technically these documents are still in draft as comments have been invited until the end of January 2017.

Who needs a DPO?

For the first time Data Controllers as well as Data Processors are required to appoint a Data Protection Officer in three situations (Article 37(1)):

  1. where the processing is carried out by a public authority or body

Public authorities and bodies are not defined within the legislation. The guidance says that this is a matter for national law. It’s fair to say that all bodies subject to the Freedom of Information Act or the Freedom of Information (Scotland) Act will be covered by this requirement e.g. councils, government departments, the health sector, schools, emergency services etc.  However it is likely to also cover private companies that carry out public functions or deliver public services in the area of water, transport, energy, housing etc. (See also the decision in Fish Legal v Information Commissioner and others [2015] UKUT 0052 (AAC) which considers the definition of public authorities under the Environmental Information Regulations 2004.)

Purely private companies not involved in public functions or delivering services will only need to appoint DPO if they engage in certain types of data processing operations explained in Article 37:

  1. where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale

Under this provision companies whose primary activities involve processing personal data on a large scale for the purposes behavioural advertising, online tracking, fraud prevention, detection of money laundering, administering loyalty programs, running CCTV systems, monitoring smart meters etc. will be caught by the DPO requirement.

c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and  offences

The A29 Guidance states that the “and” above should be read to say “or” (a diplomatic way of saying the proof-readers did not do their job!). Special categories of data are broadly the same as Sensitive Personal Data under the Data Protection Act 1998 e.g. ethnic origin, political opinions, religious beliefs, health data etc. This provision will cover, amongst others, polling companies, trade unions and cloud providers storing patient records.

Unless it is obvious, organisations that don’t need to appoint a DPO should keep records of their decision making process. The A29 Guidance suggests that it will be still be good practice to appoint a DPO in some cases; for example, where private organisations carry out public tasks. This could include companies delivering core public services under an outsourcing arrangement e.g. housing maintenance companies, charities delivering social services etc. A group of undertakings may appoint a single DPO provided that he/she is easily accessible and there are no conflicts of interests.

Even organisations not based in the EU may be caught by GDPR and the requirement to appoint a DPO. GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

The DPO’s Tasks

According to Article 37(5), the DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39. These are:

  • to inform and advise the controller or the processor and the employees who are
    processing personal data of their obligations pursuant to this Regulation;
  • to monitor compliance with this Regulation, including the assignment of responsibilities, awareness- raising and training of staff involved in the processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  • to cooperate with the supervisory authority (the ICO in the UK);
  • to act as the contact point for the supervisory authority on issues related to the processing of personal data

Qualities

The A29 Guidance states:

“Although Article 37 does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.”

The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. The necessary skills and expertise include:

  • expertise in national and European data protection laws and practices including an in depth
  • understanding of the GDPR
  • understanding of the processing operations carried out
  • understanding of information technologies and data security
  • knowledge of the business sector and the organisation
  • ability to promote a data protection culture within the organisation

Act Now has recently launched its GDPR Practitioner Certificate aimed at up skilling existing and future DPOs in both the public and private sector. To learn more please visit our website or download the flyer.

The DPO must be allowed to perform tasks in an independent manner and should not receive any instructions regarding the exercise of their tasks. He/She reports to the highest management level in the organisation and cannot be dismissed or penalised for doing their job.

Article 38(2) of GDPR requires the organisation to support its DPO by “providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.” The A29 Guidance says that, depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO:

  • Active support of the DPO’s function by senior management
  • Sufficient time to for DPOs to fulfil their duties
  • Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
  • Official communication of the designation of the DPO to all staff
  • Access to other services within the organisation so that DPOs can receive essential support, input or information from those other services
  • Continuous training

The DPO will be at the heart of the data protection framework for many organisations, facilitating compliance with the provisions of the GDPR. Now is the time to appoint one to ensure that you get the most suitably qualified. Some say 28,000 will be required in the UK and US. Others have even suggested there will be a skills shortage!

There is certainly a lot to learn and do in less than 18 months when GDPR comes into force. Training and awareness at all levels needs to start now.

Do you think mandatory Data Protection Officers under GDPR will lead to higher salaries for DPOs?
Participate in our Twitter survey:

https://twitter.com/ActNowTraining/status/816980420357132290

Make 2017 the year you get prepared for the General Data Protection Regulation (GDPR). See our full day workshops and new GDPR Practitioner Certificate.