For some, a Data Protection Officer (DPO) is a new role within their organisation. Others, like public authorities, have employed DPOs for years and they are used to working together harmoniously. But, within the private sector the DPO is a fairly new phenomenon.
Any new role in an organisation is likely to cause a stir, especially one which is mandated to “directly report to the highest management level” and “cannot receive any instructions regarding the exercise of [their designated] tasks”. It is important, therefore, that the company and its employees understand how best to work together.
With that in mind, the following are tips from DPOs on things they feel are important to make that relationship work.
Understand the role of the DPO
In a nutshell, your DPO is officially there to “inform and advise” you on your obligations under the GDPR; to “monitor compliance”, “provide advice”, and “cooperate with the supervisory authority”. All too often, that is read by companies and their employees as ‘the DPO is there to police us’. That is absolutely not true. The DPO is there to support you, to help protect you, to make sure you are able to continue to drive your business in line with your goals and strategy, whilst staying within the confines of the GDPR. They should be seen as the buffers on your bowling alley that allow you to get the strike without losing the ball in the gully.
So, once you understand the role of the DPO in your organisation, how best can you ensure you get what you need from then? You cannot work effectively with your DPO if you do not trust them, or they do not trust you. That trust is mainly earned through honesty with each other. A DPO needs to have an in-depth view of the company and its data processing activities. No company is perfect, they all have bad practises, but it is vital that the DPO is told about these practises, as well as the good ones. If they don’t know about them, they can’t advise what the risk is likely to be or suggest remediation activities. They can’t give the board an honest view of the benchmark you are starting from. Without an accurate benchmark, it’s hard to see progress and hard to assess risk.
Bring out your dead
It is vital to remember that even if you don’t tell the DPO where your bodies are buried, other employees do know. If they become a disgruntled employee or ex-employee and raise a Subject Access Request that involves those bodies, then they would expect them to be dug up. If the DPO isn’t aware of them, the bodies are unlikely to be in the Record of Processing Activities document. Then the chances are they won’t appear in the SAR and you are in all sorts of trouble. It’s always worse to hide something than admit to it and have a plan in place to address it. Telling your DPO up front is less scary than telling the supervisory authority later.
The DPO in return has to be honest in their feedback to management. They can’t sugar-coat issues, but they should also remember that they are there to advise. Therefore, every issue they raise needs a recommendation to resolve. Note the term, advise. It does not mean that they should dictate what needs to happen. A pragmatic DPO will outline the area of non-compliance then provide a scale of solutions from 100% compliant to totally non-compliant, and aligned with the company’s risk strategy. A DPO does not make decisions on behalf of the company, they only recommend.
Whilst a DPO recommends a way to comply with the Regulations, it is important to remember that the business does not have to act on their recommendation. This can be tricky when looking at the relationship between a company and a DPO. It can appear to other employees that the DPO’s advice has been ignored, that they are not valued and are there purely for show. This can be avoided by actions on both sides. To begin with, the DPO should always be upfront about the fact that the acceptance of risk is a decision that must be made by the highest level of management, not them, and that they are there to present the facts and the potential risk level to enable that decision. They cannot get emotionally involved in the decision. The management team must then carefully consider the facts and the DPO’s advice. If a decision is made that may be seen to contradict the advice of the DPO then this decision must be documented and communicated appropriately, ideally with a review date in case business risk thresholds change over time.
Use your DPO as a sounding board
Companies should also consider their DPO to be a “safe space”. Nothing you are thinking of doing with personal data will shock them; like a doctor, they have seen it all. What they can provide is a sounding board to your whacky new projects. The chances are that they won’t say no, but they will whip out the Data Protection Impact Assessment template and support you whilst you uncover the risks that your project may incur. They will help you work out how to control those risks and eventually get to a place where the project can go ahead. It may not 100% be the same whacky idea you started with, but they will endeavour to support you to get to the same end goal but along a safer route. They are your critical friend; they won’t let you make stupid mistakes in public.
Consider your DPO an asset
Finally, a company must see its DPO as a business enabler, instead of a naysayer. A good DPO will ensure that you have the policies, processes, training and culture in place to drive a bond of trust between you and your data subjects. Their involvement with potential clients and due diligence exercises can help shorten sales cycles, drive revenue and contribute to your company’s strategic goals.
Work together, and you and your DPO are a force to be reckoned with.
 Article 38
 Article 39