"Breaches are inevitable and when they occur your data protection officer needs to look after reputational damage".
This was the key message from Sharon O'Reilly, a GDPR Consultant with IT Governance and an active ambassador with the Irish GDPR Awareness Coalition, when speaking at Dublin Data Sec 2018, the second annual data protection conference organised by the Irish Independent and Independent.ie.
Ms O’Reilly said that for companies that formally appoint a Data Protection Officer (DPO), organisations need to understand what it is they do.
"The role is very much a leading a pivotal role. The DPO should be advising all members of staff of their obligations under the law, a DPO needs to be very much on the ball with this stuff," Ms O’Reilly said.
"Your DPO is a key guiding and facilitating function".
In addition, Ms O’Reilly advised that the value of having staff buy into why they are complying with the legislation "cannot be overestimated".
"There has been so much focus on May 25 and mad panic about this date, but this is only the start of the journey," she said.
Any DPO appointed by a company must regularly monitor the area of data protection and this monitoring has to be done on a formal basis she advised, commenting that "what you can’t prove does not exist with respect to legislation".
In addition she told delegates that the DPO "needs to be somewhat of a diplomat – this person is going to be potentially in a situation where they will have to negotiation with supervisory authority, those who are alleged victims of data breaches, and senior management".
And she stressed that a conflict of interest should not exist with the person that is appointed to the DPO role.
"If you are responsible for items relating to data processing then you may be policing yourself and this will never work effectively," Ms O’Reilly said.
"It is not mandatory to have a DPO but it is agreed that it is best practice…unless you are a public authority or body you don’t need a DPO".
In addition, Ms O’Reilly said that having a DPO in place would put organisations on a better footing to manage compliance going forwards.
Meanwhile Daragh O’Brien, CEO of Castlebridge, a firm specialising in information trust through governance, quality, and privacy, advised delegates that companies should also record a near miss when it comes to data protection, as in doing so it will lead to prevention – "you learn from it, you can then take direct action to review the specific cause".
"Ultimately we are in the trust game, can you trust that you will be able to respond, that your staff will be able to recognise issues?," he asked.
"As soon as you have a reasonable degree of certainty that a breach has occurred, you are deemed to be aware, the clock starts ticking from the point of being "reasonably aware" that something has gone wrong," Mr O’Brien advised those present today.
Mr O’Brien said that in the case of a security breach, companies needed to ask questions around 'Was it an actual breach or a near miss? Has data been breached, can it be recovered from back-up? Do you have to notify a supervisory authority in another member state?'
And he stressed that communication was key: "Notify data protection authority. When communicating with media, stick to the facts, do not editorialise. Clearly communicate what you are going to do to remediate the issue".