The 2018 enactment of the EU-wide GDPR created the need for organisations to radically re-think how they collect, store, and use the personal information of those they interact with. Various changes were mandated, amongst them was the need for some organisations to appoint a Data Protection Officer (DPO).
Under the GDPR, you must appoint a DPO if:
- you are a public authority or body (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
Of course, even if not required to by the regulation, organisations are free to appoint a DPO if they so wish.
The role of a DPO is one laden with challenges. In this piece, we will outline some of those challenges that can present the most difficulty, along with options that can be taken which alleviate those difficulties.
A lack of structure and centralisation
The GDPR entered law over two years ago, yet many organisations continue to struggle with implementation. With no established protocol regarding which data protection is to be enforced, much work is done on an impromptu basis.
Adding to this relative disorder is the fact that organisations tend to collect personal information in a variety of different ways, usually with no centralised methodology for administering collection. For example, a dentist’s surgery might store a patient’s financial records on one system and their dental records on another.
Creating uniformity and structure requires the DPO to firstly determine exactly what information the organisation holds and how it is used. Depending on the size of the organisation, this can be an onerous task. Only then can they begin to design and implement the procedures and practices required for GDPR compliance.
Ambiguity of GDPR language
As the GDPR is a relatively new regulation, much of the language lacks the clarity of other, older standards that have evolved over many years. Regarding the role of DPOs, wording includes such ambiguities as, “[a DPO] determines the purposes and means of the processing of personal data”.
Essentially, it is left to the DPO to interpret much of the GDPR in relation to the usage of personal data and many internal processes consequently require regular evaluation.
Such ambiguity of guidance exacerbates the pressure on DPOs as each decision they take demands a sensitive balance between facilitating wider organisational objectives and the obligation to maintain compliance.
A need for deft management skills
The role of a DPO can be a lonely one. A significant part of their remit involves stepping into the various departments within an organisation and investigating how they handle data. Where practices potentially contravene the GDPR, they must introduce wholesale cultural transformations which require employees to rethink – often radically so – critical activity such as marketing activity, customer service, and product development.
It is a task which requires tact and high levels of both operational and emotional intelligence. Looking into how departments handle data risks flashpoints with department heads who have been using it in much the same way for decades. They may be initially hostile to being told that established practices must be drastically changed, or even abandoned altogether. This is especially true where data has been procured at considerable expense.
DPOs therefore, not only need expertise and experience in data handling and privacy legislation, but also the thick skin, single-mindedness, and diplomatic skills necessary to face down frosty atmospheres and cultivate compliant procedures.
Getting the qualified personnel
In the post-GDPR world, where data is such a sensitive and valuable commodity, expertise is essential for organisations to have access to, and it is in scarce supply.
This is creating obvious problems for DPOs who need to build teams of dedicated data privacy experts and acquire competent support in managing the administrative workload the role necessitates.
A lack of protocol also creates significant training issues as the field requires extensive knowledge of both IT and law. DPOs are often left with no alternative but to upskill themselves and their team by creating bespoke training programmes.
Legacy technologies and attitudes
Most legacy office technology is not equipped with the advanced functionality needed to manage data in such a way that is compliant with the GDPR. Moreover, many business leaders are sceptical of the need to invest in such technology, especially where they perceive it to limit how they currently use data.
As part of the cultural transformation described earlier, it is the responsibility of DPOs to provide senior leaders with the information needed to change opinions and priorities. How they do this is for the DPO to decide, but educating senior leaders on the penalties GDPR non-compliance and especially breaches can incur, usually sharpens thinking.
Conclusion
The role of a DPO is not for the feint of heart. It requires strong yet tactful management capability, high levels of expertise and experience across multiple areas, and an ability to design and implement compliant protocols across an entire organisation.
However, DPOs do have powerful resources at their disposal that alleviate many of the stresses associated with the job. Contemporary data protection technologies have the capacity to not only deliver full GDPR compliance within days but provide the means to use data so that a competitive advantage can be gained within a marketplace.