Transcription of the lecture by Dr. Sebastian Kraska, held on September 17, 2024, at the event FORUM INFORMATION SECURITY AND DATA PROTECTION DATAINFO.SI, d.o.o. All rights reserved.

This transcription was generated with the help of artificial intelligence tools.

My name is Sebastian. I’m the founder of IITR Datenschutz GmbH, based in Munich, Germany, specialized in providing outsourced DPO services. We have a team of over 10 people dedicated to these services. I previously led the DACH region (Germany, Austria, Switzerland) for the IAPP (International Association of Privacy Professionals). Today, I was invited to talk about the role of external outsourced data privacy officers in Germany. In Germany, the concept of data protection officers (DPOs) is not new. Privacy laws go back to the 1970s, first introduced in Hessen, and later adapted at the federal level. The idea of having data protection officers has been a key part of German privacy regulation, even pre-GDPR. The data protection authorities have the right to contact the DPO directly. Organizations are required to appoint a DPO and register them with the local authority, giving authorities the ability to reach out when needed. The DPO’s main task is to check the organization’s privacy status, which starts with training and assessing privacy measures. Even six years after the GDPR’s introduction, we are still discussing the basics with many SMEs—things like records of processing activities, controller-processor agreements, and IT security. My advice to clients is to focus on core topics and not overcomplicate things. For example, when documenting processing activities, start with the most important 10 to 20, and ensure they are fully covered before moving on to more. The same approach applies to controller-processor agreements. Work with IT, HR, marketing, and finance to ensure agreements are in place where necessary. Information security is another critical area, as it poses major risks from both privacy authorities and external threats like hackers. Privacy authorities provide useful checklists for SMEs to ensure compliance with minimum security requirements. Larger organizations, particularly in regulated sectors like finance or healthcare, often require certifications under standards like ISO. Privacy training is not explicitly mandated under GDPR, but the law requires internal measures to meet accountability standards, which implies some form of employee training. Proper training helps mitigate risks and demonstrates to authorities that the organization is taking privacy seriously. If something goes wrong, having a trained workforce can reduce the risk of fines. There are two formal GDPR requirements where the DPO plays a key role: maintaining records of processing activities and conducting Data Privacy Impact Assessments (DPIAs). If a processing activity reaches a certain privacy sensitivity threshold, a DPIA is required, for example, with CCTV monitoring or analyzing encrypted network traffic. The DPO’s risk assessment is a critical part of the DPIA process. Lastly, the DPO is involved in data breach response. Under GDPR, breaches must be assessed within 72 hours to determine if they are reportable. Privacy authorities in Germany categorize breaches into low, medium, and high risk. Low-risk breaches only need to be documented, medium-risk ones must be reported to the authority, and high-risk breaches require notifying affected individuals as well. The DPO helps assess the breach and determine the required actions. Quite often, data breaches occur on Friday afternoons, possibly because hackers target companies when they are most vulnerable over the weekend. This is why our team provides 24/7 support for potential breaches.