Author: Shaab Al-baghdadi, Head of Data Protection
So why is this role one of the most rewarding and frustrating positions in equal measure? Having acted as a DPO for various organisations, supporting DPOs in post and over the years provided various certified training courses to thousands of DPOs, I have a rounded and experienced perspective.
The DPO is a recommended or mandated position under certain global data protection regulations, such as the EU General Data Protection Regulation (GDPR), which the UK has adopted. For this article, I will focus on the GDPR requirements and how that translates into what I, as a DPO, am required to do.
This is such an interesting position within an organisation and in many ways is unique. One of the main requirements is the independence of the DPO, which is often overlooked by organisations making the appointment. An organisation has an obligation to put in place the following controls to ensure this independence.
- Making sure the DPO has time to complete their tasks
- Providing ongoing education so the DPO can stay up to date with data protection regulations
- Provide the DPO the resources to ensure they can complete the tasks they are mandated to complete, staff, technology, etc.
- Ensure that they are not put in a position that could mean they are conflicted in the advice they provide, being the CISO as well as the DPO or a board member, for example
- The DPO should report to the highest level of authority within the organisation
- Ensure the appointment of the DPO is announced internally to stakeholders within the organisation
Perhaps most importantly, organisations should not penalise the DPO for the advice they provide to them.
In my experience, many organisations do not understand these obligations and fail to adequately cost them into the appointment, let alone consider the impact this might have on their business operations.
So why does the DPO have these protections under the regulation? It is so they can carry out the role effectively; in essence, the DPO is acting as an internal regulator for the organisation, and they are able to speak truth to power without fear or favour.
Some DPOs are appointed to the position almost as a tick-box exercise, without having the prerequisite skills to effectively fulfil the tasks, which can add to the woes they may find themselves having to deal with, adding to the frustrations that both they and the organisation start to encounter!
So, what are the tasks of the DPO and some of the skills an individual needs to develop? Again, we can look to the GDPR as the tasks are outlined in the regulation under Article 39, and include:
- Provide advice on the methodologies for completing Data Protection Impact Assessments (DPIAs)
- Provide or ensure training for the company is appropriate and adequate
- To monitor if the DPIAs are being completed correctly
- To monitor compliance with the Regulation and other data protection provisions, including the policies of the organisation in relation to the protection of personal data
- Assignment of responsibilities, awareness-raising of staff involved in processing operations, and the related audits
- To cooperate with the regulator
- To be the point of contact for individuals who have questions or concerns in relation to their data
All the above should be considered with regard to the risks that the processing of personal data may present.
When I have acted as a DPO, the first thing is to establish these tasks with the organisation, which is important because if this is not done, then the relationship will start to unravel, with each party having different expectations. Of course, you may have other duties agreed, but in my experience, depending on the size of the organisation to do the above effectively will likely be a resource-hungry role.
Any organisation is going to want to know if you can perform these tasks in a competent manner. They won’t be probing that much if they don’t understand what they are hiring for, and I have learnt that unless I am being asked the right questions, they have misunderstood what they need. I won’t go into an interview scenario, however, an interview is a two-way street.
What should they expect from me as a DPO? As a minimum, I need to demonstrate the following:
- I understand risks and potential privacy harms individuals could suffer, and can recommend mitigating controls appropriately
- I have strong auditing skills
- I understand and can apply the regulation in real-world scenarios
- I am a strong communicator if I am delivering the training
- I understand their business
- I have good reporting skills
They need to show me that they have allocated a budget to the role, they can ensure my independence and their commitment to data protection.
If we can align on the above, then as I have said, this should be a joyous and rewarding role. The operational implementation of the role can be a challenge, however, if the previous steps are in place, then the goal should be achievable.
You will be respected as a professional and can see how you are personally protecting the organisation, employees, patients, consumers, clients, etc, from material harms and financial penalties.
If you are a full-time in-house DPO or an external resource, the above should still apply. This should not be compliance for compliance’s sake. The DPO is an integral part of the organisation, meeting its strategic goals and running its operations lawfully.
What makes a good DPO is perhaps another topic, that could include what makes a good employer or even a client! Regardless, as a DPO, you need to maintain your skills, especially with the rapid adoption of AI, and as an organisation, the appointment or contracted service may be one of the most impactful decisions you make.
To sum up, let’s focus on the joys and avoid the woes through aligning expectations and maintaining the professionalism of this role.
