Author Ziga Smiljanic Image :https://www.freepik.com/vectors/business-man-cartoon" created by pch.vector - www.freepik.com
Four years have passed since GDPR came into power, an act that brought some significant changes to how many of us conduct our business. With it came the need for certain companies to appoint a Data Protection Officer (DPO). So here we are, full of knowledge with a newly printed certificate in your hand, or perhaps you were appointed to this position by default and have yet to fully grasp what it is that you are supposed to do.
Whether you are familiar with GDPR articles pertaining to the role or not, there are many things the regulation simply doesn't answer. How does the role look in practice and who is it best suited for? What challenges will you be facing that will cause you grey hair? These are the things we will be answering in the lines below as well as take a look at the numbers and penalties that various Data Protection Authorities have imposed so far.
Who you are and who you are not?
General Data Protection Regulation does not give any specific definitions of Data Protection Officer as much as it defines the role through its tasks. But simply reading article 39 does not paint the clearest picture. Sure, we find out what we’re supposed to do, but it tells us barely anything about the role itself. Job of a DPO is much deeper and more complex than initially perceived. DPO's role is to deal with issues that relate to the protection of personal data, and yes, your role is to be a contact within the company for all things GDPR and privacy related, but anyone can read that. What the regulation doesn’t tell you are the issues, problems and frustrations that you will most likely face in the field and the skills needed to overcome them.
To perform well as a DPO your skills should go beyond that of just knowing and understanding GDPR, that should come as standard. You need to know how to bring those words into practice at your business, how to implement the right to be forgotten or the right to data portability. Having great communication skills is a tremendous benefit at your job, especially since as an agent of change you will, most likely, be met with a certain amount of pushback. Many businesses are set in their own ways, “this has worked for us so far, why change”, and implementation and compliance with the GDPR does not have an immediate ROI or tangible benefit.
The Communicator - It will be your task to communicate the benefits of protecting data subjects rights beyond what’s visible in the revenue. In most cases the goal you will be chasing is not profit, but avoiding unnecessary costs while simultaneously building trust. And these do not come just in form of fines imposed on you by the DPA if you fail to comply, but, depending on the severity of the problem, also as a damage to your company brand as well. These take years to build but only a moment to destroy if consumers/data subjects see that their rights and data are being neglected or mistreated. And in the end, that can be more harmful than any fine a company can face.
The Influencer - As a DPO you need a certain level of self-confidence as you should report to the highest executive authority in your company, be able to, with a level of assertiveness, convince them to implement changes you advocate for. Influencer is a word thrown around today in a different context, but your job is not that different. Your job is to advise the executives and persuade them to see the benefits and need for privacy protection and obtain resources to implement that.
The Mentor - Another task that is not specifically mentioned in the GDPR but could almost be counted as essential for the DPO is that of a teacher of sorts. You should be able to train the staff on data protection awareness. Before the GDPR came into power, there was little push for staff to be adequately privacy aware or and unfortunately, even to this day, there are many cases where fines are issued due to employee mistakes. Sharing your knowledge and training your coworkers to work towards the common goal, that of a privacy aware workplace, is one of the key tasks of a DPO.
As a data protection officer, your task is to remain impartial and independent. Not everyone in the company can become a DPO as well. This role is not compatible with that of a CISO, head of Human resources or CCO for example. The latter was decided by a Belgian Data Protection Authority (DPA) as it ruled out that the two roles are in conflict of interest and in breach of Article 38(6) GDPR and fined the company 50.000€ (Decision made on 28th April 2020, substance 18/2020, file number AH-2019-0013).
The Innovator - You will not only be changing the mindset of your coworkers and how they see privacy. You should also bring in some technological changes. While many still use traditional spreadsheet tools to work with privacy such ways are inefficient, not fit for purpose and are the opposite of what you are trying to achieve, they are not secure. Nowadays there are tools specifically for Data Protection Officers, offering help with cookie management, RoPA and DPIA, tools meant to help you navigate the privacy landscape. There are numerous such products in the market and Privacy1 offers an innovative suite of tools to help you with your work.
The Arbitrator - As an advisor, your role is also to monitor compliance and be a contact for the supervisory authority and data subjects within the company. Deciding what happens with personal data, gathering, deletion or any other kind of processing is in the hands of the controller, making such positions within the business incompatible with that of a DPO. While you are meant to influence executives at your company, you lack the executive powers yourself, which while maintaining your independence, can often lead to some frustrating moments.
Difficulties you will face?
These days, people are more and more aware of their rights as well as the value of privacy in general. Businesses, while being more inclined to work with privacy in mind, still don’t always provide the necessary funds or resources.
Most common problem DPOs will face is the lack of resources dedicated to privacy protection. That means either funding for specialised tools, funding to improve data protection or just to hire additional personnel or train existing employees and management to help out with privacy issues.
Also, the role of a DPO should not be isolated to maintain its independence and impartiality. Data protection officers should work and cooperate with employees so they are involved in data privacy issues and integrate that into their existing workflow and system design. Cross-departmental collaboration is an enormous task that is usually not performed without stepping on the toes of department heads. In some businesses your role as a DPO will be to bring a certain culture shift to the company and make employees rethink how they view privacy and adapt that paradigm shift into their product development and marketing strategies.
Role of a Data Protection Officer is a relatively lonely one. While yes, you should cooperate, educate your coworkers and also influence the decision makers on a strategic level, you will probably be alone at your company who will be pushing for changes which also means you should prepare for some amount of frustration. Adoption of a privacy mindset will most likely not be fast or easy. Building a network of like minded individuals who can help you with advice and guidance as well as share experience should be on your to-do list.
Many data protection officers still conduct work, map and inventory operations and work with manual or informal tools. Email, excel spreadsheets and in-person meetings. These tools are inefficient and can lead to poor performance. Using specialised tools increases productivity, increases transparency, speeds up workflow and increases collaboration. It lets DPO have a better overview of your compliance program progress, gaps, maturity and action points that are needed to mitigate risks. The challenge is that unless you justify the business case ,senior management will often not see the benefit of such tools and the need to invest in them. (see our article on justifying governance https://www.privacyone.co/post/the-business-case-for-gdpr-maturity-and-governance)
Fines and Mistakes
Since the GDPR came into power nearly 4 years ago, most EU member data protection authorities have not sat idly, but have been proactive and have issued more than 950 fines, in excess of 1,5 billion €. It is important to study these decisions as they set new standards and solve questions we struggle with in the field. Looking at the statistics, it gives us a good insight at what we must pay extra attention to, to avoid similar fines ourselves.
Highest to date, with more than 340 cases where violations were found was non-compliance with general data processing principles and insufficient legal basis for data processing. See below for analysis of reasons for recent fines:
Trend of types of GDPR violation, by the volume of fines.
One of your tasks is to make sure the company adheres the principles GDPR sets forth and that they are properly implemented in the workplace whether it is sufficient legal basis for data collection, data minimisation or others.
Insufficient technical and organisational measures to ensure information security, was the reason for a fine to be issued in more than 200 cases around the EU. It is a key DPO responsibility. . It is DPOs responsibility to inform and advise the business on best practices and make sure that they are implemented in the existing workflow be it through employee education or usage of new tools.
As a DPO, you are the contact within the organisation when it comes to individuals exercising their rights and it is your responsibility to comply with DSARs (data subject access requests), and, in case of a data breach, fulfil your responsibility to the data subjects and inform them of it. Insufficient fulfilment of these tasks resulted in more than 90 fines, totalling over 17 million €.
A Data Protection Officer's job is diverse and demands one to be agile and assertive. You will be juggling many roles, training your fellow employees in the ways of privacy while ensuring data at your business is secure and GDPR is thoroughly implemented. Depending on how eager the company leadership is to enact changes and see value in protecting data subjects rights, you might face some difficulties and frustrating obstacles. Learning from others' experiences and past DPA decisions might help you find vulnerabilities in your own system and provide insight in how to proceed.
Challenges are great, but as a newly certified DPO or if you have taken up the role of one at your workplace you have at your disposal numerous tools that can make your job easier. Tools allow you to rank tasks by severity, priority and ease of implementation of measures meant to mitigate risks. Tools that allow data protection officers to have a better overview of companies privacy policies, DSARs, perform gap analysis, risk assessment, track maturity and action follow ups. Privacy1, a Swedish company offers these advanced security and privacy solutions. Whether you are looking to protect the actual data you are responsible for and avoid data breaches, or just to document the personal data you have and manage your use of personal data better we have solutions for you.