Author: Vlatka Vuković, Privacy and Data Protection Specialist, CIPP/E, ISO 27001 LA, ISO 9001 LA
DPO – a dream job?
Designation conditions, position within the organization, and tasks of the Data Protection Officer (DPO) are clearly defined in the GDPR. Reading those provisions, anyone would have wanted to be a DPO.
A DPO is an expert, reputable and respected, who answers directly to top management and is trusted by all organizational levels, independent and unbiased, resolving exciting legal-technology issues, with an entire team and all necessary resources at disposal.
DPO attends professional conferences, constantly improving knowledge and skills, and cannot be dismissed or penalized for performing appointed tasks.
Sounds like a dream job! However, let’s get back to reality.
Highly regulated and organized enterprises that have recognized the importance and benefits of having a DPO and the privacy team are more an exception than a rule.
Most organizations still consider personal data protection and information security to be a burden and yet another regulatory obligation.
DPOs fight daily for their place under the sun, the same one granted by the law. It is to these fighters that these guidelines are intended.
Step 1: Introduce yourself and meet the company
So, you are hired or designated DPO. Congratulations!
According to the appointment decision, your tasks are, among other things, the following:
- to inform and advise the controller or the processor and the employees who carry out the processing of their obligations pursuant to the GDPR;
- to monitor compliance with the GDPR and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the DPIA prior consultation, and to consult, where appropriate, with regard to any other matter.
Does everyone know what your role is as a DPO?
Who are you, what is the purpose of your role, why is the DPO important, and how and why should you be contacted?
Make sure the entire organization knows the answers to these questions.
Put yourself on the map
Depending on the internal communication channels, ensure that the news of your appointment and your contact information is made available to everyone within the organization.
This can be achieved through an internal newsletter, intranet article, circular memo, bulletin board, or by sending an official notice to the business process owners.
Do it in a way that is appropriate and commonly used to communicate important news or changes to the organization’s business.
Participate in the drafting of the notice that will be easy to understand and tailored to the reader, whether he is a lawyer, pharmacist or sales representative.
Along with the notice, you can also prepare a leaflet or a short PowerPoint presentation, stating your contact information, describing your tasks and explaining in which situations it is suitable to ask for your advice.
Attend top management meeting
Since you’ve been appointed by the board, request that you attend the next top management meeting. There you will have an opportunity to get to know key managers and they will have the opportunity to get to know you.
Take this opportunity to make a brief explanation of what is personal data protection, why is it important, what are possible negative consequences of breaching the provisions of the GDPR, and how you can help the organization to operate successfully while still respecting all its legal obligations and right of individuals.
Keep this presentation concise and informative. Avoid complicated legal terms and do not focus only on administrative fines. Personal data protection is much more than that!
Get to know everyone
After meeting with the top management, get to know other key roles and key business processes.
Simply send an email to colleagues with greater responsibilities (i.e. department and sector managers) and organize shorter, 30-to-45-minute meetings with them.
This process will take some time, depending on the size of the organization and its business. Do not rush it, because this is one of the most important steps for a newly appointed DPO.
It is one way to get recognized as a partner and advisor. It is an opportunity to provide your first advice and guidance.
Make allies within the company
Do not act as a critic or an inspector, the point of these meetings is to get to know the processes, but to get to know the people as well, and to look for “allies” for future tasks.
Certainly, an informative half-hour dialogue is not enough to get to know all processing of personal data nor to understand all business processes, but it is an indispensable first step and even a possible beginning of a wonderful friendship.
There are 4 more steps you can take in order to create support and urgency for your privacy program. Want to continue reading?
Download our Guidelines: