Mar 15
Expert Advice: Top 5 habits and tactics for compliance officers

Expert Advice: Top 5 habits and tactics for compliance officers

Introduction: Egil and the role of DPO

(If you are tight for time, scroll down to the Top 5 habits and tactics for compliance officers)

With the arrival of GDPR, many wonder exactly how the Data Protection Officer (DPO) will carry out its duties within an organization. While many experts believe that a DPO’s responsibilities remain clear, there exists little information on how the DPO should fulfil their role properly.

When it comes to data protection and compliance, Egil Bergenlind has experience from this field in its early days. Early in his career, he worked as a privacy lawyer for the top European law firm Bird & Bird where he focused on the theory and practice of data protection law. He then took a position as Chief Compliance Officer and Data Protection Officer at the fintech company iZettle. This combination of theoretical and practical know-how makes Egil the ideal person to provide us with some insights into what it takes to be a successful Data Protection Officer.

At this point, many of us fully grasp the DPO’s responsibilities. After all, GDPR provides a list (Art 39) of the “tasks” that the DPO must fulfill.

Article 39 “Tasks”

Among others, a DPO within an organization will:

  • Inform and advise the controller or the processor, and the employees who carry out processing of their obligations;
  • Monitor compliance with GDPR, and other data protection regulations that may apply
  • Assign of responsibilities within an organization,
  • Raise awareness and training of staff involved in handling of personal data.
  • Provide advice where requested as regards the data protection impact assessment
  • Cooperate with the supervisory authority;
  • Act as the contact point for the supervisory authority

Simply put, the DPO lives and breathes GDPR.

So, given the challenge ahead for DPOs, we thought it would be beneficial to provide some advice into how to be a successful DPO. The following are excerpts from an interview with our own CEO, Egil Bergenlind.

5 Habits and Tactics of an Effective Compliance Officer

1) Cultivate a sense of curiosity: be genuinely interested in the business

According to Egil, “Understanding the business is crucial to succeeding as a DPO.” He goes on to clarify, “being interested in of all the various functions, departments and functionings of the business can have a huge impact on the effectiveness of the role”.

Business have gradually recognized that data protection issues penetrate many parts of an organization. The DPO must understand what data the organization handles and which functions and departments this involves. The successful DPO asks right questions. They find out all there is to know about the organization’s practices.

Here, Egil emphasizes the importance of the DPO remaining independent of an organization’s business functions. “The DPO is a guide, council and overseer of the organization’s business, not a member of any business function that is oversees.”

2) Understand the BIG picture

“Don’t lose the forest for the trees.” In other words, successful DPOs maintain focus on the fundamental purpose of GDPR: To protect the rights of individuals. Good DPOs ensure the integration of all articles of the GDPR in detail.

Yet, even more important remains aiding the organization to understand that data protection is about protecting individuals. For this, Egil has some additional advice: “Making sure the organization builds data protection into its daily operations, is one of the most important things a DPO can accomplish within an organization.”

See the big picture

He refers here to the principles of privacy by default and privacy by design, where an organization takes into consideration the privacy of individuals at every decision, before launching a new product, for example. The DPO works proactively, guiding the organization in keeping data protection constantly top of mind.

3) Be bold and take on this role with integrity

“Independence and prioritizing the rights of the individual puts the DPO in a very particular situation within an organization”. As a guardian of individual rights, the DPO must be ready to act and take the necessary steps to uphold compliance, even if it requires the involvement of the supervisory authorities.

“It takes a strong sense of integrity on the part of the DPO”, says Egil. “The DPO needs to have the confidence and determination to engage with decisionmakers and provide the necessary guidance so that the steps are taken to maintain compliance.”

4) Communication is key

“Developing interpersonal skills, as well as the ability to educate, influence, and persuade others cannot be underestimated”, states Egil. In his years as a privacy lawyer and head of compliance of a global organization, he learned the importance of communicating clearly and being visible throughout the organization.

A DPO must use its communication skills to convey the importance of data protection. In most cases this would involve the training of staff and senior management. A successful DPO must always seek ways to improve and develop his/her communications skills further.

5) Be in many places at once: recruit data protection champions

A DPO cannot, and should not, ensure compliance on its own. Egil suggests a very simple but important tactic: “DPOs need to ‘recruit’ other key individuals within the organization and appoint them as privacy champions within their area of expertise.” These key individuals will act as “the DPO’s eyes and ears”, in all privacy matters within the organization.

Establishing and keeping these key relationships has helped Egil stay on top of compliance issues throughout an entire organization. These relationships become ever more important in larger organizations with offices in different locations.

The role of the Data Protection Officer, as introduced by GDPR, carries many high expectations. For organizations that require a DPO, this position is regarded as indispensable for ensuring GDPR compliance. Despite its importance, there is a gap of knowledge when determining how DPO’s will carry out their duties. We hope that this article has helped bridge the gap.

See more related posts »

Related blog posts