As data protection laws continue to be revised or are being tabled for implementation — Ecuador, Chile, Indonesia, Thailand and China are some that come to mind — the data protection officer becomes increasingly important to an organization.
Article 39 of the EU General Data Protection Regulation provides quite a few mandatory tasks for the DPO but should not be read as an exhaustive list:
- To inform and advise the controller or the processor and the employees who carry out processing of their obligations under the GDPR and other EU or member state data protection laws.
- To monitor compliance with the GDPR and other union or member state data protection laws but also with the data protection policies of the controller or processor, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations and the related audits.
- To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 of the GDPR.
- To cooperate with the supervisory authority.
- To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation following the conduct of a DPIA referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
- As an overarching principle in the performance of their tasks, the DPO shall have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
In addition, there's the DPO Competency Framework and Training Roadmap by the Personal Data Protection Commission of Singapore. These can be summarized as covering four key areas: advise, communicate, analyze and inspire. Or, for fun, you might summarize this as the "açaí framework."After all, the DPO is like a superfood to the organization.
The DPO is a superfood to the organization
It is with great relief that the myth of a DPO being in a cost function is being dispelled. Instead, a DPO can greatly boost the organization’s health by building up the immune system against data breaches and is hence a valuable business partner to enable further growth. Much like the açaí is a superfood, here are the core functions and benefits of a "superfood DPO."
A DPO must identify legal requirements and their applicability to the organization they serve. This spans the entire privacy life cycle: assessing the risks, designing controls, implementing a data protection management program and sufficiently responding to a breach. As a rule, the DPO must consider the vision or mission statement of the organization’s data protection and privacy strategy. In addition, they must understand the organization’s business processes as thoroughly as specific laws, regulations and statutes that apply to the business (i.e., consumer rights or banking and financial services regulations). As a result, DPOs may save their organization a lot of time by avoiding duplication of work if they are strategically clever in identifying "common ground" and advising accordingly in instances such as data protection/privacy impact assessments.
Above all, a key skill of the DPO is to communicate efficiently and effectively with internal and external stakeholders, such as the supervisory authority, management, employees and clients. While this is obviously crucial during a data breach, great communication is also paramount to identifying risks and winning support to realistically implement a data protection management program. In addition, forward-thinking DPOs looking to build an empowering corporate culture will seek to win over allies within the organization (usually found in the data protection committee), and this gets even more complicated when the organization has multiple offices across the world.
However, the bulk of the key competencies are probably found in the DPO’s ability to analyze. This includes conducting data protection audits, running a risk management program, creating data protection action plans, and assessing the readiness and suitability of data protection design measures, such as privacy by design and default. While there is no need to speak "tech" from the start, DPOs should not be afraid to review the exact technical functioning of apps or devices and, where necessary, to ask for explanations. Since important information can get lost in the noise between different company departments, they can point out previously unnoticed weak points, therefore encouraging their organizations to provide data subjects with accurate and meaningful information about their rights and how their personal data is processed.
An organization can only realistically expect to have sound data protection practices in place if a data protection committee is functioning well. In other words, a DPO must be able to first spur their colleagues in the committee and then the rest of the organization toward naturally recurring sound data protection practices.
The DPO role is quickly advancing — from data protection managers to regional and even global DPOs — while the opportunities for growth are immense. Expect organizations to look for their superfood even more ferociously as the need for data protection health intensifies.
After all, besides looking for more DPOs, organizations will be looking for better DPOs — açaí DPOs.
If you want to comment on this post, you need to login.