Data Privacy Office Solutions, New York, Dec 21st 2022
It maybe somewhat ironic that there are 99 articles in the GDPR regulation statute with 100’s of pages of directives but only brief coverage of the role of the person most responsible for following the rules in an organization, i.e. the DPO or data protection officer. Choosing a competent data protection officer has never been more important with the rising tide of privacy regulation, increase in data and complexity of environments and the increased risk exposure to breaches and fines.
The nature of the role itself spans technical, legal, corporate communications, marketing, sales, HR and the boardroom with a strong focus on research and responsiveness to queries. In the next sections we’ll take a deeper look at these areas and what it takes to be a good DPO.
What legal knowledge do I need as a DPO?
It’s fair to say that being legal saavy is a prime directive of the role of DPO. As with many organizations, data is transmitted across states and countries which means that a DPO must have knowledge and a record of who the data is on and the governing rules that apply. For example, if your a California based payments company with global offices, you’ll transmit and hold personal data on EU, Chinese, Indian and Californian residents. This will require knowlege of GDPR, China’s PIPL law, India’s Data Protection Bill and California’s CPRA & CCPA data protection law. Of course it wouldn’t stop there as there are other national data protection acts and US state laws involved in the chain but you get the picture.
These laws have particular but important variations on consent, time to respond to access requests and notifications which must be adhered to at peril of expensive law suits and reputationally damaging complaints.
DPO’s must be constantly reading supervisory authority reports, legal opinions and lawsuits brought by individuals anywhere you do business. This means setting up things like Google alerts, subscribing to twitter feeds and updates from regulatory bodies such as the ECJ, FTC, Attorney General offices etc. New laws are constantly around the corner such as the Trans-atlantic data privacy framework (TADPF) and ADPPA (American Data Protection Privacy Act) which may affect your business.
Are Communication Skills Important as a DPO?
Being a DPO requires a particular set of communications skills which is somewhat akin to being a lawyer. Remember that a lot of the frontline communications are with the unforgiving world of regulatory agencies and customers who want something or who are complaining about something. Responses have to be measured so as to provide the answers without exposing you and your organization to more legal peril or aggravating the requester. In fact, I would expect that any perspective DPO in the hiring process would be asked scenario type questions where they are presented with an example complaint and how they would handle it.
Internally, DPO’s will be interacting with all levels in the organization which means that they will be expected to know their audience and communicate with their perspective in mind. This means that a marketing reps risk profile is different than a developers and you will be communicating differently to either party. Rita Heims, Research Director at the IAPP agrees and says “Good communication skills [are required], both with external counterparts (such as regulators), as well as with internal stakeholders. GDPR compliance is a team sport involving IT, Marketing, Operations, and many other departments.” At the board level, you maybe expected to communicate the potential impact of new legislation to business operations or perhaps the potential impact of a suspected data breach in terms of exposure to fines and class action suits based on precedents.
Does a DPO need to be able to handle data breach response?
In times of crisis, such as a data breach. A carefully planned choreography should kick in which sees that the DPO is ready, willing and able to play the role of breach responder. This will involve confirmation and classification of the nature of the breach, activation of an incident response plan, response co-ordination with legal /IT /marketing /executives etc, preparing communication templates to customers and the data protection authority and damage mitigation. This is all followed up by reporting, remediation and post incident communication to affected parties.
DPO’s should be able to turn to their existing documentation such as the record of processing activities (ROPA) to determine the potential exposure of data suspected in a breach. This is an important part of information gathering and will determine who needs to get notified should a breach happen. Data protection authorities such as Attorney General offices and data protection commissions will also need to handled, any mis-steps may equate to extra penalties should there be fines.
Does a DPO have to be a trainer aswell?
Annual training is a requirement for all data protection laws and there is only one person who knows as much about the topic as the DPO. DPO’s are expected to inform staff on applicable law when handling personal data and the rights of customers under the law. Key topics will include timing in response to customer requests, risks in sharing personal information, types of personal information, employee rights to access their information and media handling.
Training is often the 1st line of defence when it comes to data security as human error is the most common culprit behind breaches, so in this respect a DPO must be a trainer within an organization. (Visit our SHOP to see our related collection of training materials).
What about DPO Role Independence?
The integrity of the data protection office depends hugely on being independent of organizational bias. What do we mean here? The role of DPO is expected to be an impartial one in the eyes of data protection authorities. One that demonstrates accountability and good faith toward the customer and internal stakeholder alike. The customer is better served by these characteristics in the organization which makes it better from a regulatory standpoint. Article 39 of GDPR says that one of the main tasks of DPO is to inform and advise the controller or the processor where necessary, as well as handle requests and complaints from data subjects.
From the point of view of an effective DPO, they should demonstrate fair and impartial assessments in their DPIA’s, oversight of data processing activities and reporting to the executive and regulatory authorities. Ultimately, the DPO should not be impeded from practicing an important function but they should also have the drive to ensure that this is not the case and maintain their independence.
What about risk analysis abilities for a DPO?
As in all elements of business, risk is everywhere. To make sense of it all though demands knowledge of vulnerabilities, threats and liklihood in the same sense as IT security assessments. In the formal sense, a data protection officer is expected to conduct data privacy impact assessments (DPIA’s) and identify corrective action plans. They are also expected to maintain a register of processing activities which includes purpose of said activities and risk minimization measures in place. But beyond this, the DPO should understand what the common fails in the industry and the ones which draw the most ire from customers. A quick breeze around the web will yield an abundance of civil cases where there is a failure to respond to customer access requests within the statutory period. There’s also plenty of cases where personal information PII was sent to the wrong address (frequently an old address) or inappropriately shared with 3rd parties without permission..
A good DPO will have an understanding of where the risks are in his/her organization and bring awareness to the stakeholders. They will also understand the technical risks surrounding data at rest and in transit and the necessary controls such as encryption, anonymisation, data masking and other de-identification techniques which are required under the statues. Gaps should be reflected in regular privacy impact assessments that they perform.
What security skills should a DPO have?
To be a good DPO, being cybersecurity aware is a core requirement. The forward momentum in the industry is toward a merge of security with privacy in control frameworks like ISO and NIST which regulatory authorities have taken note of. This means that there is more cross-over then ever with the IT security function in organizations. DPO’s should be aware of top 10 cyberisks and how to combat them at a people, process and technology level. They should understand the principles of confidentialiy, integrity and availability of personal data with a working knowledge of how controls work such as anonymization, encryption and data masking. They should also know the privacy by design principles (read our article on principles of design HERE) Perhaps, most importantly they should be involved in the same approval processess for change management and app development so that everyone’s voice is heard. Security certifications such as CISSP, CEH and cloud security credentials won’t hurt either.
What should a DPO be focused on in 2023 and beyond?
In a word automation. The elephant in the room is the volcano of regulation that has occured in data privacy since 2018. It’s now generally accepted that human effort alone is not enough to keep up with changes hence products. In fact, Gartner predicts that 75% of the global population will have Its personal data covered under privacy regulations. This means that automatic mapping and decision making for personal data on your networks. It means automation of customer privacy request handling, consent management, privacy impact assessments, data transfer tracking and many more areas that touch on the privacy lifecyle. The days of spreadsheet updates and standalone systems are coming to an end. Check out our related article on what to expect in data privacy in 2023 HERE.