We are often asked why an organisation should not just “employ a lawyer” to perform Data Protection Officer services or an existing IT employee part-time. For this article, we will concentrate on why the DPO is very different from a lawyer.
There is a fundamental difference between understanding why a legal rule applies and how to make that an operational reality in an organisation.
In contrast to a lawyer, professional DPOs must understand both what the law requires and how to implement compliance to that law in an operational sense.
In practice, this means helping a business close its GDPR gaps in every function, at every level, across people, processes, and technology. As such, we have to understand how each part operates, how to communicate with each other and how to implement a data protection programme in a way that makes sense for that organisation and its operating model.
Under the GDPR, many organisations hired a Data Protection Officer (‘DPO’) to help with data protection compliance.
At the bare bones level, the DPO is mandated by law to:
- inform your organisation of its GDPR obligations and provide relevant advice
- monitor compliance with the GDPR, other data protection laws, and to see staff have the proper responsibilities and are appropriately trained
- to audit data protection compliance
- be the contact point for your customers and staff for data protection matters
- cooperate with the data protection authorities that operate across the EU
However, there is a lot more to the DPO role!
Key roles and responsibilities
Let’s take the requirement for a data controller to provide instructions to a data processor (typically an outsourced service provider) before they can process personal data. There are several key roles and responsibilities here. When DPO Experts works with a client as their external Data Protection Officer, we will typically:
- identify the compliance risks
- determine the critical risk controls required
- dovetail this with the data protection risk strategy that we created
- guide supplier due diligence, particularly for information security
- ensure that the documented instructions captured all the operational and compliance requirements
- provide advice on changes to the processes and procedures to be compliant
- monitor those supplier relationships in respect of GDPR performance
- undertake inspections or audit the processors
None of these tasks are the work of a lawyer!
Data protection and GDPR compliance are about changes in the way the business thinks and acts. This starts with the board and permeates your organisation’s operations looking at the data you process, why that data is processed, your business processes, procedures, IT systems, information security, people’s behaviours, supplier relationships, customer service, marketing, monitoring, auditing and so on.
We, as DPO’s must be multi-disciplined
Depending on the complexity of our client’s circumstances and needs, it may be necessary to use functional specialists to support us when acting as the external Data Protection Officer. For example, the GDPR requires organisations to have documented instructions between data controllers and data processors, the latter typically being an outsourced service provider. In this situation, the DPO will be able to advise on how to produce those instructions in the light of the operational context, processes and procedures. However, where complex legal relationships exist in the background, the legal representative in our team will assist in aligning the data protection needs with the overall commercial relationship.
Another example of where we draw from a mix of functional experts is with IT security. Again, in many instances, the DPO will guide the organisation to getting its IT security under control. Yet, some organisations, which have high data protection risks and perhaps have an online business model, may benefit from a deep dive conducted by our IT security experts. When the data controller outsources high-risk data processing to a supplier, then supplier due diligence around information security may also be appropriate. For this, we assign our IT security colleagues to assist.
‘In-depth understanding of the technological landscape.’
The majority of our clients also require technical changes implemented for GDPR compliance. This requires an in-depth understanding of the technological landscape, best practice in information security, approaches to encryption, anonymisation, pseudonymisation and information security controls. The professional DPO understands these technical concepts and will also understand how these relate to other organisational measures across the people and process dimensions. Lawyers do not have the expertise or experience in planning or implementing such organisational and technological transformation.