Now that GDPR has been in force for some months (9 at time of writing) we can take a view on how the DPO role is developing in practice. Everyone agreed that there was a shortfall in the number of suitably qualified and experienced compliance personnel to fill this new role. The designated Data Protection Officer is no lightweight role!
When considering the attributes of a good DPO, my view remains that understanding the sector and knowledge of how the organisation operates is more important than data protection expertise which can be “bolted on” either through intensive training courses or by the DPO working with external consultant support at least initially.
In practice we have found that many organisations are hoping that they do not require a DPO. So much depends on what is meant by “large-scale” when considering whether specific activities constitute “large scale monitoring” or “large scale processing of special category data”. As we are all aware that, having once appointed a DPO, it will be difficult to explain why the role is no longer deemed necessary, many organisations are hanging back from appointing one. Our advice is still to nominate a central contact for data protection issues and enquiries. Use a different job title, Data Protection Coordinator, Data Protection Adviser for example. Then if, at some point, the decision not to appoint a DPO turns out to be the wrong decision, at least having someone in role will help mitigate the legal consequences and allow the organisation to become compliant more quickly.
Other organisations have made an initial appointment of DPO from an existing team, on a part-time basis, to be absorbed into other duties. There are a couple of problems with this approach. Firstly the new DPO needs time to skill up for the role and time to carry out the role. The DPO is a statutory role with obligations and duties prescribed in GDPR. In our view the DPO needs to monitor not only the compliance of the organisation with GDPR but the integrity of their own role. GDPR expressly provides that the DPO is not responsible for the compliance of the organisation but our view is that they will be held responsible for discharging the obligations and duties of the role itself to a reasonable standard.
In the months since GDPR took effect we are aware of a number of DPOs who may have been less than thrilled at their new role and who have failed to fulfil expectations in role. In general we think that this is due to the fact that the appointment has been given to a junior colleague who does not (yet) have the seniority within the organisation to either be heard or for their words to be given due weight. Mentoring by senior colleagues does not always work at this point. The DPO is the statutory appointee and is the focus of data protection compliance activity in the workplace day to day. The senior colleague is not always be on hand to support a DPO who is lacking in confidence or gravitas. As a result there have already been casualties: leavers, stressed colleagues on long-term sick and unhappy people who are presumably looking for a new job!
25 May 2018 has started to feel a bit like Y2K. Everyone was frantically working towards implementation date in the first part of last year but activity stopped at the end of May in many organisations. Even senior DPOs with other responsibilities found that they had to “catch up” with other work which had been left as lower priority to GDPR implementation. Other issues were always bound to arise, Brexit being a big issue that has taken senior managers away from other responsibilities.
What now for the DPO?
As we approach the first anniversary of GDPR now is a good time to kick start the audit and training programme in-house. Pick a higher risk data processing activity such as monitoring or HR or another department that handles special category data and carry out a few audit checks on transparency (privacy notice), data minimisation and security, ensuring that a good audit trail is documented and supported with evidence.
Now is also a good time to review staff training. Last year it was acceptable to ask for guarantees that training was GDPR compliant but the DPO cannot rely on untested statements. Before the first anniversary of GDPR we would advise DPOs to check the content of training material themselves for any incorrect or misleading statements and inconsistencies with house policies and procedures. It is a surprisingly quick job once you get started. The in-house DPO needs to rely on others to some extent to carry out the duties required of the role. The support team should include external advisers, reviewing the content of technical material such as training is simple to outsource.
Planning is also a good way to demonstrate that the DPO role is being fulfilled to a reasonable standard. If resources are limited then it is important to make the most of them, targeting compliance activity appropriately based on the resources available and the risk presented by the data processing carried out by the organisation. Lack of planning can result in wasted resources, for example wasting time trying to identify what to check first or scheduling time with a manager at short notice only to find that he or she is on leave.
How we can help
Data Protection Consulting offers support to businesses of all types and sizes. We can support your Data Protection Officer with legal advice and guidance on best practice and we have a package of mini audit forms to use when checking compliance and to evidence the results. We can also provide interim short or long term DPO services. Give us a call or complete our website contact form, we’d be happy to help.