What is a Data Protection Delegate?

What is a Data Protection Delegate? 

To comply with the requirements of the new RGPD that will take effect in May 2018, many organizations must have a Data Protection Delegate . But what exactly is this figure? How will it fit into the insurance sector? We try to clarify these and other issues through this post.

In the blog of Xenasegur is not the first time we deal with the European General Data Protection Regulation (RGPD) and its transposition to Spanish legislation. Specifically, it must be ready before the end of May 2018. By then, in order to ensure compliance with data protection regulations in organizations, the latter should consider the new figure of the Delegate of Data Protection or Data Protection Officer (DPO).

Specifically, as recalled from the Spanish Agency for Data Protection (AEPD) , “the DPO is one of the key elements of the RGPD, and a guarantor of compliance with data protection regulations in organizations, without replacing the functions that develop the control authorities. ”

And to carry out its work, the Delegate of Data Protection will have specialized knowledge in Law, as well as, obviously, data protection, and will act independently. Among its functions, regulated in Article 39 of the RGPD, are those of informing, advising and supervising compliance with the Regulation by the person in charge or in charge of data processing.

The profile of the Delegate of Data Protection

In relation to the profile of the Delegate of Data Protection, in the AEPD they specify that:

  • The RGPD does not require that the Data Protection Delegate be a jurist, but he / she must have knowledge in Law.
  • The DPO may be internal or external and a natural or legal person specialized in the matter.

This new figure, Carlos Alberto Saiz, director of Data Privacy Institute d e ISMS Forum Spain , said during the celebration of the Ninth Meeting of Integral Security (Sec 2), held last June in Madrid, that “if we talk about natural persons, it is clear that the DPO must be a gifted, since it will have to analyze risks, manage incidents, keep abreast of the latest technological advances, be a legal expert, communicate with empathy … From an economist to a lawyer, there are many the experts who can perform the functions of the DPO. ”

Iván Bayo, a lawyer specialized in data protection and member of the Spanish Society of Security Law (SEDS) , warned in the aforementioned event that, nowadays and with less and less time for the end of the deadline of transposition of the RGPD to the Spanish legislation, “there is still a great ignorance in the companies about the figure of the DPO, especially about who or who can take charge of their functions”.

In relation to this last point, and in order to build confidence in citizens as owners of their personal data, the AEPD has promoted, together with the National Accreditation Entity (ENAC) , a certification model -not mandatory- for DPO and an Expert Committee of the Certification Scheme for Data Protection Delegates formed by associations such as the Spanish Union of Insurance and Reinsurance Entities (Unespa), organizations of various sectors and the data protection authorities of Catalonia and the Basque Country.

The Delegate for Data Protection and the insurance sector

On how the new RGPD will affect the insurance industry in our country, Pilar González de Frutos, President of Unespa, told the Xenasegur blog that “insurance, like all other industrial sectors, will be affected very directly by the Regulation, since it contemplates new procedures that will have to be implemented and, therefore, will influence all areas of the organizations. But the insurance industry in our country is working very actively so that all entities are fully adapted to the RGPD by the end of May 2018. ”

Asked about the same question, Mónica Pons, President of Aunna Asociación, believes that “from the mediators to the producers, the insurance industry has always been very aware of the need to guarantee and maintain at the highest level both the privacy and the consistency of the the data of your customers. Therefore, it should not be a great effort to adapt to the requirements of the RGPD. ”

Regarding the Delegate for Data Protection, Pilar González de Frutos reminds that it is not a new figure, since, since the Organic Law on Data Protection (LOPD), it has been configured within companies. “In fact, a very high percentage of insurance companies have a data protection officer who, in many cases, is a multidisciplinary committee within the entity or group. Another issue is that the capabilities of the DPO acquire a new dimension in the RGPD, “says the president of Unespa.

In the case of Aunna Asociación, it makes a very favorable assessment of the DPO. “In the financial sector, in which we operate insurance brokers, we are very used to having independent figures that facilitate the relationship with users. I am referring to the Customer Ombudsman or the Customer Service Department. From that point of view, the creation of the DPO and the regulation of its figure are not something new and, in addition, we believe that it will influence even more positively in the perception of the final consumer regarding the professionalism of the mediator with whom he contracts “, says Mónica Pons to our blog.

And on whether the DPO will be internal or external and a natural or legal person in the insurance field, Pilar González de Frutos considers that each insurer will adopt its own strategy. “In any case, what should be taken into account is that, in terms of standards, the DPO must not only know which regulates data protection, but also, in the specific case of insurers, must be an expert in the so-called right of private insurance, which covers an extensive and complex regulation. This is because the DPO has to determine if the data treatments are based on legitimate interest, legal obligations, etc. In addition, you must know the internal organization to establish data processing procedures and risk assessment, as well as other obligations established by the RGPD and that must be supervised by the DPO, “recalls the Unespa representative.

In a more concise way, Mónica Pons believes that, regarding the implementation of the DPO, “the logical thing is to opt for an external professional of recognized prestige and competence, since experience shows us that it is the most operational option and which best responds to the needs and situation of the majority of runners “.

And in view of the information regarding the RGPD and the DPO that is being transmitted to the brokers, the president of Aunna Asociación clarifies that the entity that represents “informs the partners of the contents and obligations of the RGPD and we are also coordinating actions with other associations to agree on a common relationship framework with insurers that facilitates compliance with requirements and the correct use of data by both parties. ”

Regarding the relationship of the insurance industry with the AEPD, Pilar González de Frutos highlights the close relationship between Unespa and the agency since the first law regulating the automated processing of personal data was approved in 1992. ” has allowed a full adaptation of the Spanish insurance sector to this legislation. The insurance industry has addressed every regulatory change or sectoral initiative in maximum coordination with the AEPD, an institution that has a great knowledge of the sector and that has been of inestimable help so that the insurance is perhaps one of the most adapted in matter of data protection. Therefore, this same dynamic of close collaboration is what we will continue with the new RGPD, “concludes the president of Unespa.

Specific tools

For those who still do not have clear the guidelines and objectives of the new RGPD, the AEPD has enabled a specific website in which, in addition to the text of the Regulation, can download documents on the figure of the DPO, guides of interest, etc.

In a special way, we recommend consulting the section   RGPD in 12 questions , since it facilitates knowing which companies or organizations it applies to, what implies the active responsibility included in the Regulation, if the RGPD supposes a greater burden of obligations for the companies, if the latter should review their privacy notices, etc.

The latest tool developed by the AEPD has been Facilitates RGPD , which helps companies and professionals who treat personal data of low risk to comply with the new Regulation. It is an “online” questionnaire, with a maximum duration of 20 minutes, which allows to verify if the data being treated are of low risk and obtain the minimum documents necessary to facilitate compliance with the RGPD at the conclusion of the test.