How many managers with other work responsibilities have been told to pick up the role of designated Data Protection Officer? More than a few we think. Not all businesses employ a full time Data Protection Officer so the role is allocated to an existing member of staff, probably without any additional budget!
Whether or not a full time, trained and experienced DPO is required will depend on the circumstances of the personal data processed by the business, but you have to accept that if the business requires a designated DPO, there is already a level of risk identified in that processing which would tend to indicate that some level of skill and experience is required. Also the GDPR expressly states that the DPO should be knowledgeable about the business itself and data protection law.
The role of Data Protection Officer is a statutory role and there are formal obligations and duties to carry out. Even where the role is advisory (if you don’t need a DPO it is still a good idea to appoint someone to be the central contact for data protection queries but use a different job title) rather than mandatory it is good practice to undertake checks on data protection compliance. Where certain processing activity requires the designation of a DPO, his or her compliance activities are not restricted to the higher risk processing activity but should encompass all the data processing activity undertaken by the organisation.
So how do you stretch existing resources to carry out the role to a good standard?
Our top tips for the DPO on a shoestring budget
- Plan the year ahead. Pick up the higher risk areas to focus on, prioritise new projects (undertaking Data Protection Impact Assessments) and schedule what time is available to target risk hotspots. Ensure senior management understand the approach, approve the work plan and receive progress reports. If asked to deviate from the plan, ask what additional resource will be available.
- Not all compliance checks require DPO training, in fact you need the views of all levels of staff to gauge whether training material is being accessed and absorbed. So ensure there is always a store of lower level checks (outline the objective of the check, the process to follow and how to record results) to present if suddenly offered an afternoon of someone’s time! Talk to HR about recruitment, are there gaps in the induction schedule that offer time you can use? Is anyone at a loose end due to reorganisation of departments etc in the short term? Can operational departments be persuaded to provide secondees from time to time to get an in-depth understanding of data protection as well as provide valuable resource to the DPO?
- Find out what internal and external audits are planned during the year. Try to have an input to the scope of audit work. If possible, speak directly to the people who will carry out the audit and build in some checks that will be useful to the DPO, for example, Health & Safety audits at different premises could include checks on the operation of CCTV, whether signage is appropriate and whether cameras are recording relevant images only.
- Third party provider checks should include security measures and contractor staff training for operational purposes. These are points that should be covered at regular review meetings between the service provider and the operational manager responsible for the relevant department in-house. Remember the business should carry out the checks, you should be checking the checkers.
- Identify pockets where there might be “free” resource you can tap into! For example, when senior managers are on holiday, their Personal Assistants might have time to check how easy it is to find relevant policies and procedures or training material and carry out some basic checks, for example whether they are up to date, easy to understand and whether template policies and procedures have been tailored correctly (see our article on the problems of using templates without reading them first here). Similarly, are there any apprentices or new starters that can provide insight into the company’s data protection awareness training? It is possible to get some feedback and then test their knowledge again after say two months, then six months? This might evidence that annual training is too infrequent/frequent or that, because of other ongoing informal training, key messages are not being assimilated or that the training material needs to be refreshed.
- Find out about free seminars and join discussion groups. Try to tap into what other DPOs are doing and what their experience is. Subject to NDAs it might be possible to arrange a day on site with another DPO and invite them back to see your set up. After all, peer group review is one of the strongest tools.
- Many sectors have sectoral discussion or interest groups. Find out what is available and don’t be hidebound by labels, company secretaries, compliance officers, governance professionals all have the same goals in the end. Make sure that colleagues are aware that you would like to attend events as a guest at sector specific meetings when data protection is on the agenda.
- Subscribe to all the big conference organisers and go along to relevant ones, if not as a delegate, then as a visitor to the ubiquitous exhibition and talk to the exhibitors. Find out what is new, what current trends and concerns are, ask technical questions to get information for free. Exhibitors love talking to people, the exhibitors’ nightmare is a conference where no one speaks to them, not the one where someone picked their brains a bit!
- There are a lot of free training materials available online and webinars that you can access for free. Rather than searching for help with the DPO role in general, try focusing on individual topics such as “social media compliance” or “website compliance”. Read articles published on legal websites.
- Conflicts of interest are never easy to manage and it is hard to stick to the line that your role is to check rather than to undertake the work in the first place, especially as business colleagues will view the DPO as the most skilled and appropriate person to draft documents for them. However, giving in and writing wordings for clauses, privacy notices etc places extra demands on the DPO’s time and, at the same, time compromises his or her independence. It is impossible to carry out a proper independent check of your own work! So the DPO can either offer a solution, suggest googling the wording required, suggest key phrases colleagues might use, or ask for assurance that the department will pay for any external review of wording the DPOs draft. In the end a compromise may be required after all the DPO does have the skill set to draft wordings as a result of checking them but the DPO needs to make a note and consider how best to remedy the lack of independent oversight in these circumstances. Possibly do a trade for a half day of lower level checks and take the argued over wording to the next free conference for independent input!