Getting the most from your DPO
In its 2020 Emerging Jobs Report, LinkedIn ranked Data Protection Officer (DPO) as the second highest emerging job in the UK, reflecting the growing importance of the role since the implementation of the EU General Data Protection Regulation (GDPR) in 2018.
Without doubt, the regulation fuelled demand for the role, with some figures estimating that anywhere between 30,000 and half a million DPOs were recruited across the European Economic Area to manage GDPR alignment.
Appointing a DPO is mandatory for public authorities or bodies, and for organisations whose core activities require ‘large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking) or large-scale processing of special categories of data or data relating to criminal convictions and offences’.
This hasn’t changed with the UK leaving the EU – the UK GDPR also requires organisations to appoint a DPO based on the same criteria mentioned above. Small and medium-sized enterprises (SMEs) should also not make the mistake of thinking they are exempt from the DPO requirements due to the size of their business - should any or all of the above criteria apply to them i.e. if you need to process personal data to achieve your organisation’s key objectives, then you will need to appoint a DPO.
The ICO states that the DPO must be ‘independent, an expert in data protection, adequately resourced, and report to the highest management level’ and that they can be an existing employee or externally appointed.
That said, regardless of whether your company is legally obliged to appoint a DPO, you must still ensure you have the staff and resources to manage your data privacy obligations under the regulation. A DPO is there to ensure your activities operate within the law, so it really is a crucial role, particularly during current times, when many businesses have a large majority of employees working from home.
However, from many years working in this space, too many times we have seen the role of the DPO being viewed as a ‘blocker’ or as implementing an unnecessary administrative burden by insisting that the correct policies and procedures are in place.
Therefore, many organisations may not be making the most of the expertise held by the DPO or utilising it in the most effective way.
So, how can you get the best from your DPO?
1. Ensure the senior leadership team is on board
As mentioned, the UK GDPR requires that the DPO ‘reports to the highest management level’, so regular communication with the board is crucial. However, this is only part of the story – the senior leadership team also needs to be fully supportive of what the DPO is there to do, and should regularly communicate the importance of compliance to help engage the rest of the workforce.
2. Increase visibility and engagement
When the leadership of an organisation is engaged, the DPO must then become an embedded and sought-after resource throughout the rest of the organisation. To avoid being seen as a ‘blocker’ with a ‘you can / can’t do something’ attitude, the DPO should have a more creative ‘how can we do this together’ approach. As well as the ‘enforcer’ the DPO should also be the ‘translator’ i.e. someone who is there to make data protection simple. If the workforce feels they are involved in the process, rather than being dictated to, it will make the DPO’s job a lot easier.
3. Appoint additional champions
Part of encouraging widespread engagement with data protection across the business is appointing a strong, proactive team of departmental champions to support them. These champions will have a deeper understanding of their particular department’s data requirements, so can aid the DPO to ensure they communicate in the right way.
4. Consider a DPO with additional skills
As well as being a data protection expert, DPOs often have additional skills such as IT or security. This means they can provide further services over and above their core role, meaning your organisation can benefit from increased expertise.
For more advice and strategies, our free ‘Data Protection Made Easy’ guide outlines six easy steps on how your organisation can ensure GDPR alignment. To download your copy, click here.
The Compliance Space can help you effectively manage your data protection obligations and GDPR alignment – find out how by booking a demo.