What does a DPO do?

Author: Gary Hibberd

Date: 27th July 2020

 

Have you ever seen Pinocchio? The story of the wooden boy who wants to become a ‘real boy’? In the story, he is joined by ‘Jiminy Cricket’, a talking cricket who is assigned the role of Pinocchios conscience.

Throughout the story, Jiminy sits on Pinocchios shoulder, whispering into his ear, trying to guide him on his journey to become a ‘real boy’.  Sometimes Pinocchio listens, and all is well. Other times… Pinocchio lands in hot water because he fails to heed the warnings from his trusted advisor.

In short, a DPO is just like Jiminy Cricket; Sitting with you and asking “Are you sure you want to do that?”

 

Back to the future

For me, my life as a DPO began back in 1998, when I was happily involved in IT, having a great time as a programmer, systems analyst and part-time Hacker. Back then, Hacking involved writing your own scripts, root-kits and required a grasp of fundamental programming languages like ‘C’, ‘C+’, COBOL and FORTRAN. 

I was working for a small business so I got involved in everything related to technology and Data. It was around that time when the business owner came to me and handed me a document, saying “You’re pretty good with all this stuff. Here’s a new law we’ve got to follow. Can you take a look and tell us what we need to do?”

Handing me the document, I glanced over the covering page, with the royal crown at the top, with the words “Data Protection Act 1998” below it. 

My journey into the world of Data Protection began there.

 

20 Years later

From that point on, I quickly adopted the role of the Data Protection Officer, a role which was loosely described and outlined within the Data Protection Act (DPA) 1998, and over the course of 20 years combined the knowledge and requirements with my career in Information Security.

When the General Data Protection Regulation (GDPR) came into force in 2018 I was lucky enough to have amassed 20 years of experience as a DPO, but to many this seemed like a new obligation and a new undertaking.

 

The Role of the DPO

In truth the role of the DPO has been more formally recognised in GDPR, so it can feel like a new requirement. This may come as a surprise to hear, but the role of the DPO is an interesting, challenging and even exciting role to have! Your primary role as the DPO is to ensure the organisation is acting diligently, and within the boundaries of the law in all practices related to the use of Data. 

Article 38 (“Position of the Data Processing Officer”) states that “The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.”

In short; You get involved in everything!

 

What makes a good DPO?

But it can be a challenging role at times, as some people don’t seem to understand what ‘acting diligently’ means. For example, I once had to explain, several times, to the head of IT Development why using live data (i.e. real data), in a test environment was not permitted, and not best practice. He was several pay-grades above me at the time, and I was certainly a junior in his eyes. Being a DPO can mean having challenging conversations, and you quickly learn skills around communication, negotiation and practical implementation.

A good DPO has a strange mix of qualities, values, skills and knowledge that few people truly appreciate. For example, as described above, really good DPO’s have developed great communication skills. They need to be focused on education and have a passion for what they do.  How many roles do you know that require ‘passion’ within their list of requirements? Why do I believe passion is important? Because being a DPO is, more often-than-not, a thankless task. The role of the DPO is to ensure the business operates lawfully and in the interests of Data Subjects. You need to be self-motivated and therefore being passionate, and believing in what you do will turn you from being merely a DPO, into a great DPO.

A great DPO will need to have a strong technical knowledge of legal and regulatory data protection frameworks, both nationally and internationally and should also have a similar background and understanding of information security management frameworks (such as SOC2, NIST, ISO27001 etc). 

 

What does a DPO do?

Article 39 of the GDPR outlines the tasks of the DPO, but in summary, the tasks the DPO is expected to carry out are;

– To advise and guide the controller or the processor, on their obligations towards Data Protection

– To ensure there is a monitoring process in place so that they can evidence that processing measures are appropriate (e.g. ensuring appropriate training and awareness is taking place)

– To ensure that Data Protection Impact Assessments (DPIAs) are being completed appropriately

– To work, and cooperate with the ICO (in the UK) when and where necessary (including investigations into the organisation)

The DPO will be involved in all aspects of Data processing, and this includes client data and employee Data.  They will help develop policies which can then be monitored and measured, to ensure ongoing compliance with the GDPR.

 

Do you need a DPO?

Article 37 of the GDPR states that it is mandatory to appoint a DPO, in the following circumstances;

– Processing is carried out by a public authority or body (except for courts acting in their judicial capacity)

– Processing operations require regular and systematic monitoring of Data subjects on a large scale (e.g. CCTV operators, hosting companies, social media etc)

– Core activities consist of processing on a large scale, special categories of Data (e.g. children data, health etc)

In all other cases you are not mandated to have a DPO. But this doesn’t mean you shouldn’t appoint one.  If you decide not to appoint a DPO I would suggest you need to have the conversation and document the reason for not hiring/selecting someone to the role.

 

Who can be the DPO?

The DPO needs to be independent, and have no conflict of interest. So you can’t make the head of IT the DPO, or the head of marketing, or the head of… anything. Remember that part of the role requires the DPO to work with the ICO in any of their investigations. In short, if a Data breach occurs due to an error by the head of IT, it’s unlikely that they’ll be willing to run to the ICO and say “Hey! Look we’ve had a Data breach, and it’s because I didn’t patch that system!!” 

(now you might start to see why the role of the DPO can be quite challenging)

If you want to appoint a DPO, but don’t have anyone internally you can turn to, then you can outsource the role. You can go to a company (like Cyberfort) and ask about their ‘DPO as a Service’ (we call it a ‘Virtual DPO’). 

I think this is a great idea if you’re struggling to recruit or justify the cost of having a full-time DPO. It ensures the role is truly independent, and you have someone externally that has a keen focus on Data Protection, and Information Security, without having to pay for their training!

 

In summary…

Even if you don’t need to appoint a DPO, but I would suggest it is highly advisable that you assign someone to be your Data Protection Leader. Although GDPR can be quite confusing, in truth, it simply means ‘Giving Data Proper Respect’. Clients will ask you about how you achieve compliance with GDPR, so you need to be able to respond adequately to that question.

The role of the DPO is broad and varied. The skills required are equally broad and extensive. Don’t underestimate the importance and benefit of having a DPO in your business. They are your ‘Jiminy Cricket’, and their role is to keep you honest.

Because if you aren’t honest about the way you control and process Data, it may become as obvious as the nose on your face, just like it did with Pinocchio.