The Data Protection Officer, your Privacy Sherpa!
GDPR is in full force for just over a week now. Let’s take a look at the Data Protection Officer as this professional has important tasks to fulfil as the company’s subject matter expert. Even when you are not legally required to appoint a DPO, doing this can still bring many benefits to your organisation.
The Data Protection Officer (DPO) is the trusted advisor for all matters related to privacy and data protection, especially if an organisation’s core business is based on personal data processing. In some instances the appointment of a DPO is mandatory. Where this is not the case, it is encouraged as a matter of good practice and to demonstrate compliance.
Appointing a DPO
Climbing the GDPR summit takes a lot of preparation, perseverance and team effort. Especially since the summit is partly obscured by clouds. How do you ensure that your organisation has sufficient resources to discharge your GDPR obligations? The climbing team members have different experience and knowledge levels and the DPO is the most experienced of them all. He or she can help you operate within the law by advising on your organisation’s data protection governance structure and on achieving accountability.
Beginning your summit ascent
The DPO monitors whether all necessary steps for the ascent are taken, such as training and securing the required clothing and equipment - i.e. policies, procedures, work instructions and technical and organisational measures. When decisions are needed on securing ropes and passing steep cliffs, you can benefit from his in-depth knowledge and experience. The DPO also has an important task in relation to raising awareness of the GDPR policies and procedures.
Assessing and minimising risks
In some instances, team members make smaller or larger mistakes, or the used equipment doesn’t bring the assurance needed. The DPO then assesses what to do: let the team fix the problem or call emergency services. The DPO for instance advises on what you need to do in the event of a data breach. The GDPR also provides for situations in which there is an immediate risk of damage to the data subjects. He or she will contact the supervisory authorities and in some instances notify the data subjects.
Single point of contact
What to do if the used equipment is not fit for the job at hand? The DPO will advise to acquire better equipment or to expand the team. If these recommendations are not followed, he or she can advise to call the operation off. He’ll need to warn the emergency services that the team should be evacuated when such conditions cannot be overcome. DPO’s serve as single point of contact for authorities on all issues related to the processing of personal data. They report directly to the Management Board and must be able perform their duties in an independent manner and not cause a conflict of interest.
Who guides you on your journey?
How do you find this trusted monitor, advisor, facilitator, guide and supervisor? Given the breadth of skills and experience required, this can be a significant time investment. And Data Protection Specialists are rather scarce, so hiring your own DPO is likely to be costly as well.
A practical alternative is to outsource the DPO function to a company that offers ‘DPO as a service’. After an assessment of the extent to which the organisation complies with the GDPR, a DPO can be deployed to steer your company towards compliance. This Privacy Sherpa can guide you on all kinds of ascents. Is this the right move for your business on its way to the summit? Please contact us.