How many workers with other business responsibilities have been told that they are the designated Data Protection Officer? Not all organisations employ a full time Data Protection Officer. The alternative is to appoint an existing member of staff, probably without any additional budget!
Whether or not a full time, trained and experienced DPO is required will depend on the circumstances of the personal data processed by the organisation. However if the business needs a DPO, there is already a level of risk identified in its data processing which indicates that some level of skill and experience on the part of the DPO is required.
GDPR expressly states that the DPO should be knowledgeable about the business itself as well as data protection law.
The role of Data Protection Officer is a statutory role and there are formal obligations and specific duties to carry out. Even if the role is advisory (a Data Protection Manager, Adviser or Coordinator for example) rather than mandatory it is good practice to undertake checks on data protection compliance. Note also that where certain data processing activity requires the designation of a DPO, his or her compliance activities are not restricted to that higher risk processing activity but should encompass all the personal data processing activity undertaken by the organisation.
So how do you stretch existing resources to carry out the role to a good standard?
Our top tips for the DPO on a shoestring budget
- Plan your year. Focus on the higher risk areas, prioritise any new projects (undertaking Data Protection Impact Assessments) and schedule what time is available to target risk hotspots. Brief senior management on your approach, and ask for approval of the work plan. If asked to deviate from the plan, ask what additional resource will be available.
- Not all compliance checks require DPO training, it can be helpful to get a view from all levels of staff to gauge whether training material is being accessed and absorbed. Ensure there is always a store of lower level checks (detailing the objective of the check, the process to use when checking and how to record results) to present if suddenly offered an afternoon of someone’s time! Talk to HR about recruitment, are there gaps in the induction schedule that offer time you can use? Is anyone at a loose end due to reorganisation of departments etc in the short term? Can operational departments be persuaded to provide secondees from time to time to get a more in-depth understanding of data protection as well as provide valuable resource to the DPO?
- Find out what internal and external audits are planned during the year. Get an input to the scoping of audit work. If possible, speak directly to the people who will carry out the audit and build in some checks that will be useful to the DPO, for example, Health & Safety audits at different premises could include checks on the operation of CCTV.
- Third party provider checks should include security measures and contractor staff training for operational purposes. Remember the business should carry out the checks, you should be checking the checkers.
- Identify pockets where there might be “free” resource you can tap into! For example, when senior managers are on holiday, their Personal Assistants might have time to check how easy it is to find relevant policies and procedures or training material and carry out some basic checks, for example whether they are up to date and comprehensible. Similarly, are there any apprentices or new starters who can be tested on the company’s data protection awareness training? It is possible to get some feedback and then test their knowledge again after say two months, then six months?
- Find out about free data protection seminars and join discussion groups. Tap into what other DPOs are doing and what their experience is. Subject to NDAs it might be possible to arrange a day on site with another DPO and invite them back to see your set up. After all, peer group review will be one of the strongest tools.
- Many sectors have sectoral discussion or interest groups. Find out what is available and don’t be hidebound by labels, “company secretaries”, “compliance officers”, “governance professionals” all have the same goals in the end. Make sure that colleagues are aware that you would like to attend events as a guest at sector specific meetings when data protection is on the agenda.
- Subscribe to the big conference organisers and go along to relevant ones, if not as a delegate, then as a visitor to the ubiquitous exhibition and talk to the exhibitors. Find out what is new, what current trends and concerns are, ask technical questions to get information for free. Exhibitors love talking to people, the exhibitors’ nightmare is a conference where no one speaks to them, not the one where someone picked their brains a bit!
- There are a lot of free training materials available online and webinars that you can access for free. Rather than searching for help with the DPO role in general, try focusing on individual topics such as “social media compliance” or “website compliance”. Read articles published on legal websites.
- Conflicts of interest are never easy to manage and it is hard to stick to the line that your role is to check rather than to undertake the work in the first place, especially as business colleagues will view the DPO as the most skilled and appropriate person to draft documents for them. However, giving in and writing wordings for clauses, privacy notices etc places extra demands on the DPO’s time and, at the same, time compromises his or her independence. It is impossible to carry out a proper independent check of your own work! Try offering a solution, suggest googling the wording required, suggest key phrases colleagues might use, or ask for assurance that the department will pay for any external review of wording the DPOs draft. In the end a compromise may be required but the DPO needs to make a note and consider how best to remedy the lack of independent oversight in these circumstances. Possibly do a trade for a half day of lower level checks and take the argued over wording to the next free conference for independent input!
Data Protection Consulting offers support to businesses of all types and sizes. We can support your Data Protection Officer with legal advice and guidance on best practice and we have a package of mini audit forms to use when checking compliance and to evidence the results. We can also provide interim short or long term DPO services. Give us a call or complete our website contact form, we’d be happy to help.