Dealing with The Board of Directors
Being a DPO is an important position. Even if this is a responsibility you have taken on in addition to another role, it is something you should take seriously. You are now the data privacy advocate within your organisation!
You have responsibilities to the public and the regulator.
Not only will you be front and centre in the event of failure, you have a moral responsibility to stand up for the people you have been appointed to protect. You are obligated to report risks to the highest levels of management and/or the board, and have a responsibility to inform the relevant regulatory authorities if those risks remain unmitigated and unacceptable.
You are not legally required to whistle blow on your organisation. But, you are not bound by confidentiality from contacting relevant regulatory bodies, are encouraged to do so, and are legally protected from reprisals.
What You Need to Do
To be DPO, you need to understand your organisation's data compliance liabilities and how they relate to the flows of data throughout your organisation. This may be relatively simple for static data operations, only really requiring intensive review while becoming compliant with the GDPR or implementing a major change.
Other organisations will require their DPO to continually review, update and check data processing operations. This means undertaking risk assessments and regular DPIAs for new or expanded data processing or collection. It can also include regularly scheduled audits and full system reviews. You may be responsible for a team of staff to help engage with this process.
In all circumstances, it is your responsibility to build a defensible position around your data collection, processing and retention policies. This means building up a documented archive of assessments, recommendations and actions. You need to advise your organisation's management and board on how to develop best practices for data privacy and regulatory compliance.
Companies in the EU need to remain conscious of EU-external partnerships involving the data of EU citizens. Failure of an outsourced party will be your responsibility as well when it comes to the authority of the GDPR, particularly as Data Protection Officer.
It is your job to determine how much attention your organisation's data processing operation will require. To do that, you need to understand the nature of your organisation's data processing in the context of the relevant regulations.
Organisational Responsibilities to You
You are legally protected from penalisation for performing your duties. This includes threats as well as actions. Organisations are prohibited from placing limitations or instructions on you about how to best carry out your role. This includes how and when to undertake assessments, what conclusions to draw or how to interpret data protection law.
Data processors and controllers are legally obligated to inform you of changes to data processing or collection policies. They are required to involve you in the undertaking of DPIAs and provide you with sufficient resources to adequately carry out your responsibilities.
As DPO, you must be provided with clear and direct lines of communication to the board and/or the highest levels of management. Your contact details must be made publicly available and provided to the relevant regulators. You must be contactable without the regulator needing to alert other elements of your organisation.
What Good Looks Like
The best practice outcome as a DPO is to generate a comprehensive overview of your compliance obligations and data processing. To do that, you need to detail existing risks, create mitigation plans for those risks, and then create actionable steps to implement those changes. You should then set up criteria that allows for the assessment of all new projects and changes to existing processes. This means thinking about privacy by design for all developments involving the use of public data. The DPIA is the main tool for achieving all of these outcomes.
Management is not required to follow your advice, however, they should document the reasons you were overruled. If you feel this was done negligently, you should pass on that information to the relevant regulatory authorities.
You want to create a culture in your organization of data protection and compliance. To achieve that, you should conduct staff training exercises and disseminate policy information. Ideally, you will set up regular audits and reviews of data processing and create a systematic policy of engaging in data protection procedures and DPIA review for all new projects and changes.
You should meticulously document all of your actions as DPO, and keep an up to date log of the data processing policies and operations undertaken by your organisation. Records are one of the most important functions of your new role — keep them diligently and keep them up to date. The GDPR places the burden to demonstrate compliance on organisations. Records are your means of doing that. Record assessments, recommendations and documented actions.
At the very least, you need to get your organisation up to date with GDPR compliance. That means conducting a DPIA for all current operations involving the use of public data. You should then make sure to carry out a risk assessment and potentially a DPIA in response to all changes to ongoing procedures or new projects.
Following that, your major obligation is simply to keep a record of everything you do, and make reports to your board commensurate with their expectations.
Your minimum goal is to create a defensible position around your data collection, processing and retention policies. That means showing how your organisation has strived to meet compliance requirements, even if you have failed to do so. It also means keeping a record of how you are actively planning to continue to improve data privacy outcomes. You then need to document the actions taken to execute that plan for data privacy compliance.
Being a DPO
Being a DPO is all about understanding how your organisation handles public data and how that relates to your regulatory liabilities — first and foremost being the GDPR. The main expectation on you is to be able to demonstrate compliance to a regulator, or the public, in the event of a breach. Exactly how cumbersome that task will be is dependent on the complexity of your organisation’s relationship to data.
The first thing you need to do is develop a detailed understanding of your organisation’s data processing operations. From there, you need to create a roadmap for mitigating risks with the aim of bringing your current operations into compliance with regulatory standards. There are a number of proprietary software packages available that can help you carry out this audit. Although, it is also something you can undertake in-house or manually.
The key to making this system sustainable is to detail the changes likely to occur in the future and develop a process for the assessment and integration of new and altered projects into a data privacy compliance framework. Doing all of this will bring your current system into GDPR compliance and enable you to better understand the ongoing requirements of your new role.