The Ultimate Guide to being a Data Protection Officer
By Klara Lee
Thu 17 September 2020
Companies are increasingly being made accountable and prosecuted for their mishandling of personal data, making the role of a Data Protection Officer (DPO) increasingly crucial to any company's survival.
But, it’s a difficult role to have. Often DPOs take on a lot of responsibilities and although their role is meant to be ‘independent’, in reality they often have to balance their loyalty to the company with their duty to data subjects.
To keep things clear, simple and all in one place we’ve compiled information about what your role as a DPO is, how to keep up to date with new data protection practices (it's a very fast developing area of practice) as well as tips on how to handle the three things DPOs handle the most:
- Data Protection Impact Assessments (DPIAs)
- Subject Access Requests (SARs)
- Data breaches
We want to see you become an expert in the field, too!
What is the role of a DPO?
As a data protection officer (DPO), you’re responsible for making sure the company you work for always processes the personal data of its staff, customers, providers or any other individuals inline with GDPR or any applicable data protection rules like the DPA or CCPA. Essentially, you oversee the company’s data protection strategy and its implementation. A DPO also usually reports to the highest parts of the company and board, and can be contracted or a part-time employee in the company.
It's important to note that a DPO’s role is mainly advisory. You’re involved in and aware of the plans of the company and give timely advice on any matters that involve data privacy.
The typical activities of a DPO:
- Monitor compliance with GDPR by making sure the privacy measures put in place by the company are implemented properly and are up to standard.
- Be a point of contact in the company to inform and advise the data controller (the person/organisation that decides why and how personal data is processed) and the data processor (the person/people that actually perform the data processing on the controllers behalf) as well as employees of the company on how to comply with relevant data protection laws.
- Develop, coordinate and manage a company’s data protection strategy.
- Provide training sessions to staff to make them aware of their GDPR obligations, what counts as a data breach, the signs/how you will know there has been one and who to involve in the process.
The DPO has a complex role. They have to play the role of the advocate and represent the rights of individuals who, for example, send a SAR to the company, and maybe push the company to release information they don’t want to release because the DPO knows this is how to comply with GDPR.
At the same time, the DPO also has a representational role for the company they work for. In court, they should be as neutral as possible but at the end of the day the DPO is a member of the company and, in reality, there’s often corporate loyalty. It can be difficult to balance these two roles.
How to deal with Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is a process of weighing up the high risks that data processing might have on the rights and freedoms of individuals, with the benefits of what you want to achieve.
Companies have to do this to minimise the risks of a new project or plan, or to help determine whether it's even worth pursuing in the first place.
Our top tips for carrying out a DPIA:
- Carry out the DPIA when you can still influence the outcome of the project. You can do a DPIA before or after implementing a new plan, but doing it beforehand can save the potential costs of an initiative.
- Throughout your role make sure you remain ‘independent’, i.e. the controller should not direct you with how you do your work, this is required under GDPR. It means when you do tasks like DPIAs they have more credibility.
- Consult the Data Protection Authority in your area depending on the scale, context or magnitude of the risks involved. This isn’t necessary all the time but it depends on how serious you think the risks are.
- Map the information flows and identify the risks and benefits by following a template like the ICO’s.
- Publish the DPIA report, sometimes you can’t for security reasons but it can be a great PR move to show customers/employees that you take their data very seriously: the FBI publish their DPIAs!
How to deal with Subject Access Requests (SARs)
As a DPO you will likely be in charge of dealing with all the Subject Access Requests (SARs) the organisation is sent. A SAR is a written request that an individual can send to your organisation in order to see what personal data you hold on them.
They have this ‘right of access’ under Article 15 of the GDPR, so your response needs to be thorough and accurate to avoid receiving a complaint or prosecution from the ICO.
So here’s how to respond to a SAR, plus some helpful tips along the way!
- Identify who the request is from e.g. if the request is from a current or ex-customer or employee, and find their account information. You can always ask for further information to help your search. We recommend also checking the validity of the SAR e.g. a recent photo ID and utility bill. You don’t have to but some journalists have tested companies by asking them for their friend’s or partner’s data and found that many companies did respond. A request can also be made on behalf of someone by a representative like a solicitor, but make sure that the person has authorised the representative to make the request.
- If your organisation charges a fee to process Subject Access Requests, ask for this and then see if payment has been received.
- Once you have all the information necessary to respond and a possible fee has been paid, make a note of the date.You need to respond within 30 days of receiving the request. You can extend this to two months in complex cases but you will need to notify the individual.
- As soon as a request is identified, suspend the routine data deletion or destruction processes with respect to the data of that individual. It’s now a criminal offence to delete, destroy, alter or conceal personal data in order to ‘prevent disclosure to data subject’.
- Make checks in all systems for the data being asked for, even possibly in different member states. Personal data can include hard copy or electronic filing systems e.g. client/employee files, Outlook accounts, audio recordings or CCTV footage.
- Remember, there are exceptions when data shouldn’t be given back to a person. For example, if it would obstruct legal enquiries, investigations and procedures, endanger national security or infringe on the rights and freedoms of others e.g. if an individual asks for CCTV footage but it contains other people in it. Consider whether the other individuals have consented to disclosing the data or whether it’s reasonable to disclose it anyway.
- Disclose data securely and if a SAR has been made electronically, the expectation is that you provide the response electronically. However, it's always good to check with the individual.
⚠️ Remember to record the entire process in case a complaint is made to the ICO and they review the response. Record the sources you got data from, key decisions made about whether information counted as personal data and whether exemptions applied, as well as any communications with the individual and other third parties.
TOP TIP 🌟
Throughout your time as a DPO, remind employees that they should never use their work email for private conversations. Keep in mind that you can be SAR’d at any time, and more often than you might think, a company has had to embarrassingly admit in a SAR response that in a work/case related email a member of staff has added a rude or inappropriate comment about another member of staff or client.
How to deal with data breaches
Dealing with a personal data breach is possibly the most dreaded and crucial part of being a DPO. Your role is to set out, or review, clear steps everyone in the company needs to take if a data breach happens.
A personal data breach means any breach of security that leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches with accidental and deliberate causes.
Here are some steps you can take to best deal with a data breach:
1) Identify the breach and contain it.
Some examples of how you can spot a data breach:
- If hackers gain access to your network they could modify or delete critical system files to try and prolong detection.
- If a program acts up, a user is unable to access their account with valid credentials or there’s unusual activity on a privileged user account e.g. a history of viewing sensitive information, a high volume of database transactions, or sudden permission changes. It could simply be a software or hardware malfunction but it could also be an indication of an external or internal threat.
- Unusually slow internet or devices can also be an indication of malware or viruses.
- Keep anti-virus and anti-malware programs up-to-date and run vulnerability programs, such as Microsoft Baseline Security Analyzer, to look for missing patches and other security risks.
Remember that breaches can happen in paper copy too e.g. company donated a file cabinet to a charity shop that still contained personal files and was fined £60,000.
2) Assess the ‘likelihood and severity’ of the breach resulting in the risk to people’s ‘rights and freedoms’
- emotional distress
- physical damage
- material damage
To help, take the ICO’s self-assessment to see if you need to report the breach to the ICO. Then you may have to inform the data subject.
3) If necessary, report the breach immediately
If you decide to report the breach to the ICO, 📢 you need to do this no later than 72 hours after becoming aware of it. You can email the ICO or alternatively call at 0303 123 1113. When you phone, they'll ask you questions like:
- What’s happened?
- When and how did you find out about the breach?
- What are the possible consequences of the breach and who is affected?
- What are you doing as a result of the breach and who should we contact if we need more information?
- Who else have you told?
If you decide not to report the breach, you need to be able to justify this decision, so make sure that you document it.
Best sources of expert knowledge about data protection law and practices
To really become an expert in the field we recommend that you keep up with the latest data protection developments around the world.
Some of our favourites:
- Bird & Bird
- European Data Protection Supervisor
- Law 360
- International Association of Privacy Professionals (IAPP)
- Privacy International
- Digital Guardian
- GDPR now! for developments and trends in privacy
- Fit4Privacy insight into privacy for business leaders
- Life with GDPR how it impacts your business
- The GDPR Guy to help organisations comply with GDPR
- GDPR weekly show for recent news items about data protection
- Data Protection: A Practical Guide to UK and EU Law by Peter Carey
- Data Protection Law & Practice 1st Supplement by Rosemary Jay
- GDPR for Dummies by Suzanne Dibble
- The EU General Data Protection Regulation (GDPR): A Practical Guide by Paul Voigt
Books that explore the social consequences of data:
- Everybody Lies by Seth Stephens-Davidowitz,
- Invisible Women by Caroline Criado Perez
- The Age of Surveillance Capitalism by Shoshana Zuboff
- No Place to Hide by Edward Snowden
- Of Privacy and Power by Henry Farrell and Abraham L. Newman
Internationally recognized data privacy bodies:
- EC Justice Protection of Personal Data
- European Data Protection Institute
- FRA Information society, privacy and data protection
- Vrije Universiteit Brussel research group on law
- Brussels Privacy Hub (NGO)
- Privacy Association (NGO)
- Privacy First
- European Digital Rights (EDR)
- Interpol Data Protection
- UK International Data Privacy Law
- Data Protection Law Journal Oxford
Advice for hiring a DPO
Under the GDPR, you must appoint a DPO if you’re a public authority or body, or if your ‘core activities’ require large scale, regular and systematic monitoring of individuals, especially special categories of data or data relating to criminal convictions and offences.
But, even if you don’t fall under this, we recommend assigning the role of a DPO if you can anyway. If a breach or complaint happens you may be asked by the ICO whether or not you have a DPO and you need a good reason for why you do not.
Tips on who to hire:
- Ideally you should hire someone from within the company. Being the DPO could be an additional/part time role for them. This way, they will know how the organisation and industry works, where the main issues are and will also have an existing relationship with the other employees. The DPO should be independent and advisory but ideally have a human relationship with the company to ensure honesty and communication. You will need to train this person properly if they come from within the company.
- The GDPR doesn’t specify the exact credentials a DPO needs to have but does say that it should be proportionate to the type of processing they carry out, taking into consideration the level of protection the personal data requires.
Things you need to do:
- You should fill in a form that gives the DPO protection by relieving them of sole responsibility if there’s a serious data breach or their advice is ignored, otherwise the DPO is at risk of being sued. If you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.
- The DPO needs the means to carry out their role, be that financial or personal. This will need to be assessed.
- Set out a clear hierarchy in your company to you need to make it clear to your employees who the DPO is and what their role entails.
- There needs to be a constant flow of communication between decision makers and the DPO to ensure that no privacy issues are missed.
Being a DPO is a big responsibility and a tough role to fill, but when done well can ensure that your customers get the transparency they deserve and your company avoids fines.
We do recognise that there is a lot to keep up with! So, there is a network of DPOs, law enforcement officers, and academics called ‘EDEN’ with over 800 members, which might be helpful to you. Alternatively, see our companies page to be put in touch with a member of our company support team!
https://eandt.theiet.org/content/articles/2020/05/companies-face-surge-in-data-access-requests/ says DPOs struggle to meet deadlines!