In this article we will try to list in more or less detail the main tasks that the Privacy Officer, one of the main professional profiles operating in the field of personal data protection within a company, must deal with. In recent years this function has undeniably acquired enormous relevance, also and above all due to the adoption of the General Data Protection Regulation (better known as GDPR) at European level, which we have discussed extensively in our series of dedicated posts, and the consequent need to comply with the relevant principles and directives.
However, despite the enormous quantity of informative articles published by all the specialized magazines and the urgent need to comply with the provisions of the law, there are still many companies that ignore (and in some cases “pretend to ignore”) the importance to equip itself with such a function, responsible – as we will see – for numerous activities, including very delicate ones.
Who is the Privacy Officer?
Before moving on to the list of activities in charge of the Privacy Officer (also known as Privacy Manager) it might be useful to spend a few words to understand which professional profile this figure corresponds to. The first thing to clarify is that it is a function that carries out activities of a transversal nature with respect to business processes, as it must have to do both with the life cycle of the data and with the organizational, managerial, technological and legal aspects connected to the activities carried out by the company: among these, the skills relating to Information Technology have assumed particular importance – especially in recent years, with particular regard to concepts such as Authentication, Authorization, Encryption and Backup.
Not surprisingly, although this is a role traditionally played by lawyers or in any case by people with a legal training background, in recent years there has been a significant increase in technical profiles, such as management engineers and IT technicians, as well as candidates with training connected to the world of communication.
Here is a summary list of the activities carried out by the Privacy Officer. For each of them we have revised a “title” of one or two words that has the task of summarizing the scope, the topic or the basic context.
- Privacy Manual. Make sure that the company has an updated Privacy Manual that documents the privacy system in use, including this list of periodic duties for the manager.
- Register of Data Processing Activities. Keep the Register of Data Processing Activities updated with all customers and the related types of data processing related to company activities.
- DPIA. Make sure that for all data processing that presents a high risk there is a Data Protection Impact and Risk Assessment (DPIA).
- Data Classification. Make sure that all the data processed in the company have been classified according to the provisions of the Data Classification Policy and that there are no data classified incorrectly.
- Data Destruction. Make sure that all data that is no longer needed has been destroyed or returned in accordance with the Data Destruction Policy and that there is no data stored in error.
- Authentication. Verify that all access procedures to company IT systems provide for the insertion of sufficiently complex credentials, with particular regard to the criteria of complexity and periodic expiration of the password in accordance with the latest regulations in force; also verify that all systems that are critical or that allow access to information, data or functionality that present a high risk have a two or more factor authentication system (2FA, MFA). Also check that all accesses are documented by written lists that are easily identifiable, viewable and verifiable, and that all credentials relating to users no longer active as of today have been appropriately decommissioned.
- Authorization. Verify that all IT operators, developers and system administrators can access only the information necessary to carry out their activity, according to the principle of deny by default.
- Information Technology. If the organization processes data with IT tools (workstations, servers, cloud repositories, databases, web services, etc.), make sure that the company has adopted the technical measures and adequate organizational structures, as required by article 32 of the GDPR and by the accountability principle, with particular regard to those explicitly mentioned in the regulation: pseudonymisation and data encryption; the ability to permanently ensure the confidentiality, integrity, availability and resilience of systems and services; the ability to promptly restore availability and access to data in the event of an incident; a procedure for regularly testing, verifying and evaluating the effectiveness of measures. It’s worth noting that this must be done for the internal IT management staff as well as third-party services, such as a partner IT consulting company or other outsorcing alternatives.
- Risk Analysis and Assessment. Make sure that a Risk Analysis has been carried out for all company projects and that this analysis contains the appropriate assessments in the privacy field; also ensure that all projects for which a high risk profile has emerged during the analysis contain a Risk Assessment Report that documents the methods of risk management and mitigation.
- Issue Tracking. Verify that all Privacy and Data Protection issues, incidents and formal claims have been appropriately resolved or managed by the competent staff.
- Contracts. Dealing with the drafting of sections or attachments relating to assignments and / or appointments to the processing of data within contracts with customers, contracts with suppliers, framework agreements, calls for tenders and any other company document.
- DPO. Manage communications with the DPO and ensure that any evidence resulting from the activities of the DPO is appropriately managed.
- Documentation. Make sure that all corporate privacy documentation (policies, employee information, processing information, privacy forms, etc.) has been updated in the last 12 months.
- Training. Ensure that all employees and company collaborators have completed at least one Privacy and Data Protection refresher course in the last 12 months and that they have completed the relevant evaluation form; make sure that the written minutes of attendance and topics covered are present for the course; make sure that a further refresher course is planned, to be held within the next 12 months.
Ideally, all the above activities should be recorded in a specific company Time Tracker (or any other equivalent task-tracking tool) in order to allow the Privacy Officer, as well as the company, to demonstrate that everything is managed periodically and continuously.
Why we need it?
As we can clearly see by looking at the above tasks, this is an extremely complex job description, which certainly cannot be performed by a CEO, nor “delegated” to a function that already carries out other activities. Even the hypothesis of entrusting this type of assignment to an external consultant or a supply company, a very popular solution in some small and medium-sized companies (SMEs), is difficult to implement in practice. since these are activities that require very strong corporate know-how and constant interfacing with the main functions: from the business unit to logistics, from administration to general services, from operations to delivery, from HR to legal office, not to mention the constant relationship with employees, customers and suppliers.
Taking all these factors into consideration, the preferable solution for most companies is to have an internal privacy office, composed of a Privacy Officer who is in charge of coordinating the activities and a number of Privacy Specialists ( employees or consultants) commensurate with the size of the organization and the amount of data being processed. This approach obviously does not exclude the possibility that, in reality very small and where the processing of personal data is not a business-critical element, the entire office can be run by a single person. However, these are highly residual situations, considering the numerous legal obligations provided for by the GDPR and the risks associated with incorrect or incorrect management of this data. It goes without saying that, for very large companies, the opposite may also be true: a multiplicity of Privacy Officers, perhaps relating to each of the production plants or company offices, coordinated by a Chief Privacy Officer (CPO) with strategic and managerial functions.
That’s it for now: we hope that this list will be of help not only to novice Privacy Officers, but also and above all to CEOs and managers of companies that have not yet equipped themselves with this fundamental figure to understand the importance of getting one on board before it’s too late.