The role of the Data Protection Officer is an important and often necessary one.
When we are talking to new clients, I am often asked what the role of the Data Protection Officer entails and how a business can get the best out of either their own inhouse DPO or from their outsourced provider.
While the day to day activities of the DPO will vary from business to business, the basic principles remain the same;
We are not here to say ‘No’
Very often the initial reaction from anyone that doesn’t come from a compliance related background is that the appointment of a DPO is a bad idea because “they’ll just get in the way”.
Now, I can’t speak for every DPO but I can speak for myself and for the DPO’s that I personally know and work with and believe me, we have much better things to do with our time.
A good DPO is an asset to a business and will understand that there is a balance between being compliant and being commercial. The work of a DPO sometimes means helping teams to come up with new ideas that meet the businesses needs while also being compliant, rather than just putting a great big red cross next to every impact assessment that crosses their desk!
We can’t help if we don’t know
There is no point in appointing a DPO if you are not going to tell them what is going on.
I have lost count of the number of times that I have been called into a meeting or sent an email for a project or activity that ‘needs urgent approval’. The request generally arrives, with absolutely no background context, no impact assessment and no one is able to explain why I wasn’t involved in the process months ago.
It is very hard to comment on a process or a project that you have no understanding of. What looks sensible on the surface is often complex and challenging underneath.
If you want to get the best out of your DPO, then you need to involve them at the beginning, not at the end.
Ask us anything
I know we probably appear like some kind of alien race to many people but believe me, we are human and we love to talk!
I was always told that there is no such thing as a stupid question. Questions breed knowledge and knowledge is power.
Your DPO does not need to be involved in every stage of every project or change within your business but they can offer valuable insights along the way. If you have any concerns about a particular proposal or process, a quick email or call to your DPO could save you days, even weeks of worry. Very often we can answer your question quickly and easily and everyone can get on with their day!
Tell us when something goes wrong
It doesn’t matter if it’s the largest breach in the company history or if the new HR lead has just sent out the CEO’s P45 to the wrong person, your DPO needs to know.
There is nothing worse for a DPO than hearing about an incident for the first time from the effected party or, even worse, from the ICO.
Informing your DPO of an incident, as soon as you know, means they can help with the response from the start, keep detailed investigation notes and can even help to reduce the impact.
And no, someone using your ‘World’s Best Accountant’ mug is not what I would call could a reportable incident.
Trust us!
Whether you are the person responsible for appointing the DPO or you work in a business where the decision has been taken to appoint a DPO, you have to trust us!
Now, trust has to be earned and I appreciate that. I never expect to walk into a new business and have the ear of the board or my colleagues straightaway but I do expect to be given the chance to show what I can do.
The DPO role is one that treads a fine line. We have to be independent but we also have to serve the interests of our employers and data subjects. To do this we need autonomy, we need to be able to work under our own steam, without instruction and this requires trust.
It can take time to trust a new DPO, especially if they are working on a outsourced basis and you may only see them once a month but you need to build a relationship that works for your business and for your DPO.
Sadly, there will always be some of us out there who don’t quite turn out to be everything they have promised. The majority of us though, love what we do and want to help. We just need to be given the chance to show what we can do for you and your business.
For more information about how the role of the DPO could work for your business on both an inhouse and outsourced model, please get in touch, richard.merrygold@istormsolutions.co.uk