The Data Protection Officer is very different from a lawyer

We are often asked why an organisation should not just “employ a lawyer” or an existing IT employee part-time to perform Data Protection Officer services. This article will concentrate on why the DPO differs significantly from a lawyer.

There is a fundamental difference between understanding why a legal rule applies and how to make that an operational reality in an organisation.

In contrast to lawyers, professional DPOs must understand both what the law requires and how to implement compliance with that law operationally.

In practice, this means helping a business close its GDPR gaps in every function, at every level, across people, processes, and technology. As such, we have to understand how each part operates, how to communicate with each other, and how to implement a data protection programme that makes sense for that organisation and its operating model.

Under the GDPR, many organisations hire a Data Protection Officer (‘DPO’) to help with data protection compliance.

 

At the bare bones level, the DPO is mandated by law to:

  • inform your organisation of its GDPR obligations and provide relevant advice
  • monitor compliance with the GDPR and other data protection laws, and see staff have the proper responsibilities and are appropriately trained
  • to audit data protection compliance
  • be the contact point for your customers and staff for data protection matters
  • cooperate with the data protection authorities that operate across the EU

 

However, there is a lot more to the DPO role!

 

Key roles and responsibilities

Let’s take the requirement for a data controller to provide instructions to a data processor (typically an outsourced service provider) before they can process personal data. There are several key roles and responsibilities here. When DPO Experts work with a client as their external Data Protection Officer, we will typically:

  • identify the compliance risks
  • determine the critical risk controls required
  • dovetail this with the data protection risk strategy that we created
  • guide supplier due diligence, particularly for information security
  • ensure that the documented instructions capture all the operational and compliance requirements
  • provide advice on changes to the processes and procedures to be compliant
  • monitor those supplier relationships in respect to GDPR performance
  • undertake inspections or audit the processors

 

None of these tasks are the work of a lawyer!

Data protection and GDPR compliance are about changes in business thinking and acting. This starts with the board and permeates your organisation’s operations, looking at the data you process, why that data is processed, your business processes, procedures, IT systems, information security, people’s behaviours, supplier relationships, customer service, marketing, monitoring, auditing and so on.

 

We, as DPOs, must be multi-disciplined

Depending on the complexity of our client’s circumstances and needs, it may be necessary to use functional specialists to support us when acting as the external Data Protection Officer. For example, the GDPR requires organisations to have documented instructions between data controllers and data processors, typically an outsourced service provider. In this situation, the DPO can advise on how to produce those instructions in the light of the operational context, processes and procedures. However, where complex legal relationships exist in the background, the legal representative in our team will assist in aligning the data protection needs with the overall commercial relationship.

IT security is another example of where we draw from a mix of functional experts. Again, in many instances, the DPO will guide the organisation to get its IT security under control. Yet, some organisations with high data protection risks and an online business model may benefit from a deep dive conducted by our IT security experts. When the data controller outsources high-risk data processing to a supplier, supplier due diligence around information security may also be appropriate. For this, we assign our IT security colleagues to assist.

 

‘In-depth understanding of the technological landscape.’

 

The majority of our clients also require technical changes implemented for GDPR compliance. This requires an in-depth understanding of the technological landscape, best practices in information security, approaches to encryption, anonymisation, pseudonymisation, and information security controls. The professional DPO understands these technical concepts and will also know how they relate to other organisational measures across the people and process dimensions. Lawyers lack expertise or experience in planning or implementing such organisational and technological transformation.