Data Protection Officers (DPO)

The importance of delineating a DPOs role

At tlam we provide outsourced DPO support to multiple clients in different sectors from law firms to PR event management companies. What we have seen in our dealings is that a company's data protection officer needs will differ depending on the context of the business. This seems like a really obvious point but given the lack of regulatory guidance currently regarding what makes a "good" DPO this piece provides advice on what to look out for: 

"Certified" data protection officers: not the magic bullet

If only there was a quick and simple way to be fully GDPR-compliant. Alas, even with certificates and accreditation's, we at tlam are constantly learning from new and innovative data privacy problems faced by our clients. 

It is important to understand that having accreditation and recognition's helps you understand how to be compliant but does not make you compliant.  Don't ever rely solely on certificates to demonstrate capabilities, look at the substance not the title. 

Many organisations now offer "gold-plated" GDPR certification schema. The trap being simply pass the certificate and you are qualified to advise on data protection (and your organisation can tick that box). Yet, GDPR is not intended to be an end-goal - the time for ticking boxes is over - it forms part of on-going obligations to ensure the lawful, transparent, purpose specified and limited use and / or collection of personal data. 

Therefore, when looking for DPO support ask the candidates to provide evidence of how they have managed data protection compliance. Ask for specific examples of challenges faced when businesses utilise new technology, what privacy risks were identified, how were those risks mitigated and how long did approval of the Data Protection Impact Assessment take? 

The IT Guru does not = dpo 

Understanding computer network architecture does not give you carte-blanche to be qualified for a DPO position. 

Whilst we have the utmost respect for those individuals who spend their days for example working to develop, test, install, configure and troubleshoot computer hardware and software, working to create proper documentation, diagrams and other detailed instructions to help other employees make the best use of new technologies. We often find there is a large gap between the core functions and responsibilities of your IT provider to that of a DPO who acts to champion privacy and data protection compliance within the organisation. 

Four sides of the dice

When looking for someone to fill the role, have senior stakeholders been consulted? Are recruiters on the lookout individuals with practical experience in managing record-keeping and audit trails? Will the DPO understand the GDPR article by article, and have the ability to translate those obligations and responsibilities to senior level management.

Perhaps they’re looking for a lawyer. A lawyer could certainly help, so long as they play an important and proactive role in embedding privacy and accountability into the organisational culture of the firm. Deeper than this it is important to seek out lawyers with contract experience. The Data Protection Officer – through his co-ordination of compliance function – must understand how to mitigate or transfer risk through Data Processing Agreements. Crucially, a DPO must be alive to how both controller and processor obligations affect both client and vendor contracts. Network IT risk continues to evolve. Moreover, cyber risk crosses national borders and often has unexpected consequences that many companies are ill-prepared for. 

So organisations can be forgiven for pumping money into Security to stay ahead of the threat. DPOs need technical knowledge of how your network is run. Where the servers are based, how often maintenance is done – all the while ensuring your network infrastructure is fluid enough to react to changing threats. With the likes of Azure, Google Cloud and cloud computing more generally,  it is imperative for 21st century businesses (and their DPOs) understand the attack surfaces.A company could focus its efforts on an IT specialist to fulfil the DPO role.

The IT and security specialist DPO is unique in their understanding of network security and its effect on business continuity. Adequate and proportionate enterprise resource management software (ERM) can assist in mitigating and understanding common risk factors. However, this blog is not intended to discuss the pros, cons and return on investment for security products (of which there are numerous). The point is that Article 38 requires that the DPO is involved, in a timely manner, in all issues relating to the protection of personal data. The logical corollary is the IT and security specialist understands the technical and organisational measures required, taking account of the state of the art and, the costs of implementation, to preserve personal data securely. 

Ultimately, to maintain competitive, have a distinctive brand, and a privacy conscious culture, the DPO needs all four (4). Such unicorns are few and far between, but the need to tease out different constituent parts of the same coin at interview can differentiate the compliance tick box-centric privacy auditor with the privacy champion cognisant of the nuances of joint-controllership as well as lawful basis processing and, most importantly, can report to management in a clear, unambiguous, granular fashion to enable senior management to react to data protection compliance, efficiently and at scale.  

PRivacy-conscious solutions: Simple, EFFICIENT, manageable

If you have any further questions, queries or need help understanding your privacy and network architecture, look out for further content or click the button below: