Data Protection Officers (DPO)
The importance of delineating a DPOs role
At tlam we provide outsourced DPO support to multiple clients in different sectors from law firms to PR event management companies. What we have seen in our dealings is that a company's data protection officer needs will differ depending on the context of the business. This seems like a really obvious point but given the lack of regulatory guidance currently regarding what makes a "good" DPO this piece provides advice on what to look out for:
"Certified" data protection officers: not the magic bullet
If only there was a quick and simple way to be fully GDPR-compliant. Alas, even with certificates and accreditation's, we at tlam are constantly learning from new and innovative data privacy problems faced by our clients.
It is important to understand that having accreditation and recognition's helps you understand how to be compliant but does not make you compliant. Don't ever rely solely on certificates to demonstrate capabilities, look at the substance not the title.
Many organisations now offer "gold-plated" GDPR certification schema. The trap being simply pass the certificate and you are qualified to advise on data protection (and your organisation can tick that box). Yet, GDPR is not intended to be an end-goal - the time for ticking boxes is over - it forms part of on-going obligations to ensure the lawful, transparent, purpose specified and limited use and / or collection of personal data.
Therefore, when looking for DPO support ask the candidates to provide evidence of how they have managed data protection compliance. Ask for specific examples of challenges faced when businesses utilise new technology, what privacy risks were identified, how were those risks mitigated and how long did approval of the Data Protection Impact Assessment take?
The IT Guru does not = dpo
Understanding computer network architecture does not give you carte-blanche to be qualified for a DPO position.
Whilst we have the utmost respect for those individuals who spend their days for example working to develop, test, install, configure and troubleshoot computer hardware and software, working to create proper documentation, diagrams and other detailed instructions to help other employees make the best use of new technologies. We often find there is a large gap between the core functions and responsibilities of your IT provider to that of a DPO who acts to champion privacy and data protection compliance within the organisation.
Four sides of the diceWhen looking for someone to fill the role, have senior stakeholders been consulted? Are recruiters on the lookout individuals with practical experience in managing record-keeping and audit trails? Will the DPO understand the GDPR article by article, and have the ability to translate those obligations and responsibilities to senior level management.
PRivacy-conscious solutions: Simple, EFFICIENT, manageable
If you have any further questions, queries or need help understanding your privacy and network architecture, look out for further content or click the button below: