With the implementation of Europe’s General Data Protection Regulation (GDPR) back in May 2018, the duties of the data privacy officer (DPO) have multiplied in both quantity and importance. As companies adapt to the GDPR requirements, many data privacy teams remain undermanned and lacking the resources needed to comply with its statutes. The uniqueness of this massive European legislation has introduced a whole new series of challenges for individuals involved in data protection and privacy issues. Besides knowing the ins and outs of the GDPR, the DPO now has to tackle a myriad of other trials to guarantee the proper functioning of their organization. In this blog post, EIMF highlights the main challenges to be faced by DPOs as we move into 2020 and provides a series of tips on how to best solve these problems.
Improve the Governance of Data Privacy Activities
Considering the newness of the GDPR, it is perfectly understandable that one of the main challenges affronted by companies relates to the establishment of solid governance over data privacy activities. In this vein, CPO Magazine highlights the fact that companies are currently emphasising “the organisation and processes of a data programme” over “technological solutions and training”.
As explained in CPO Magazine’s survey, “In order to conform to privacy principles and meet all compliance requirements, an organisation must first wrap its arms around what data it is collecting from consumers, how it is using this data, with whom it is sharing this data, and what safeguards currently exist so that the organisation does not collect data improperly from consumers”. According to the survey, particular importance is being showed to “enhancing the process for data subject requests” and “consent management”.
CPO Magazine also points out that governance over data privacy activities grows in importance as a company matures. “This points to a constant issue for privacy teams: as business expands, an organisation will also have an expanding set of new privacy issues,” the survey explains. “This naturally leads to a need to embrace new technologies and business models in order to keep data processing activities at the required level (or higher)”.
Be as Independent as Possible
It is crucial for DPOs to be given plenty of leeway to perform their duties. It becomes counterproductive when upper management or other interested parties interfere with the DPO’s overall role and impose certain actions, behaviours or decisions onto the position, potentially leading to conflicts of interest or other similar problems.
As explained by Brian Davidson, PwC’s Senior Manager for Data Protection Strategy, Legal and Compliance Services in the UK, “Organisations must give careful consideration as to who will fill the DPO role and the specific tasks they will be assigned under GDPR to avoid potential overlap with the responsibilities of Legal, Internal Audit and Financial departments”.
In a piece for Mondaq, Charis Photiou, a Manager within Deloitte Risk Advisory Services in Cyprus, concurs with this need for independence on the part of the DPO. “The DPO is the person who will speak up when everyone else will stand down on Data Protection matters as well as be the person to be consulted on any matter concerning Data Protection,” Photiou says. “To achieve this, the DPO should maintain organisational/functional independence and perform his/her duties ethically and free from conflict of interest”.
Work as a Team
While remaining independent and not being influenced by ‘outside’ pressures is primordial to the role of the DPO, so is collaborating with other departments in the compliance with these data privacy regulations. According to DPOrganiser, a developer of personal management software, it is important for organisations “to build data protection into [their] daily operations” and “never act on their own”. More specifically, DPOrganiser writes, “Everyone facing customers or employees needs to be involved in data privacy issues”.
Furthermore, Andrew Shaxted and Louise Rains of FTI Consulting’s Technology division delve deeper into the benefits of collaboration between the DPO and other departments within the organisation. In a recent blog post for Legaltech News, Shaxted and Rains write: “The DPO should have the ability to reach across functions and work with stakeholders within a variety of departments in the organisation. By working with the executive bench and cross-functional teams, the DPO can ensure that project plans address and take account of the range of business needs and challenges that exist in the ecosystem”.
Build a Company-Wide Data Privacy Culture
By working as a team in the implementation of data privacy regulations, you will also be able to create a company-wide data privacy culture that will facilitate your job as DPO. The recent Data Protection and Privacy Officer Priorities 2019 survey conducted by Chief Privacy Officer (CPO) Magazine and highlighted by the European Union shows that many of the DPOs involved in the study believe raising data privacy awareness is one of their main challenges for 2019.
According to the EU’s GDPR website, “the DPOs who said building greater data protection awareness was their priority were split almost evenly in how they would go about creating that awareness: 35 percent said they would conduct awareness campaigns, 35 percent said they would institute formal employee training sessions, and 31 percent said they would regularly update senior executives in a top-down approach”. For instance, ProtonMail, a secure email service that values privacy above all, recommends that companies carry out regular data privacy awareness sessions, ideally starting “soon after a new employee starts and then be updated periodically”. ProtonMail’s Ben Wolford also suggests: “The training should emphasise the most important aspects of the cyber security policy while also giving employees an understanding of the specific threats your management team has identified”.
What are your thoughts on these tips? As a DPO, do you have any additional ones we should have included? Get in touch and let us know!
EIMF offers a variety of courses for individuals who operate as data privacy officers for their organisations. For additional details on these offerings, please view our calendar of scheduled educational programmes found here, or speak with an expert learning and development adviser at EIMF at +357-22274470 or info@eimf.eu.