My new client has grown organically in the past decade to achieve an annual turnover of £65M+, specialising in human capital management (HCM). It is a data-centric business requiring the extensive sharing of subject data both internally and publicly for current and future customers/suppliers.
So, what is a data protection officer (DPO)?
A DPO is a person who is employed or retained by a company to ensure that they remain compliant with their obligations under the DPA 2018 (UK) and GDPR (EU) directives, ensuring processes and practices are in place to ensure that core obligations can be met to protect subject data.
The DPO plays a crucial role in helping the organisation fulfil its data protection obligations and has a duty of care to the organisation, to minimise any privacy processing shortfalls or failures that could result in potential fines.
To deliver the capability of a DPO, he / she must have an understanding of the strategic and operational use of data within that organisation i.e. its information lifecycle model.
Responsibility of the DPO
The DPO provides due diligence and oversight. However, he / she is not personally liable for data protection compliance. The controller or processor of the organisation remains responsible to ensure compliance with the GDPR.
The responsibility of the DPO can be segmented into five areas, which are discussed in no order:
1. Monitor internal compliance
The DPO must oversee both formal and informal data controls, ensuring they cover the full information lifecycle i.e. data ingestion (including all channels), extraction, manipulation, transformation and publication of subject data.
A key artefact that requires scrutiny is the breach process and data subject access requests (DSAR). DPOs should be exposed to these asap.
During business as usual (BAU) activity, especially with new projects or programme of new work, individuals will be tasked to ensure that data protection impact assessment (DPIA) are in place and completed. This is a core project artefact / deliverable and identifies and minimises risks. The following ICO recommendation highlights the minimum for a DPIA:
- The nature, scope, context and purposes of the processing;
- Assess necessity, proportionality and compliance measures;
- Identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
It would be prudent to ensure that the DPIA is embedded in a organisation’s governance process as it represents a key project artefact and, where possible, any early draft should provide greater value to the DPO.
Note: Article 38 of the GDPR stipulates that the controller and the processor shall ensure that the DPO is ‘involved, properly and in a timely manner, in all issues which relate to the protection of personal data’.
2. Reinforce the obligations for data protection
The DPO must ensure that:
- All members of staff are fully conversant with their obligations under the GDPR.
- Data privacy across the organisation is promoted via training, internal social media, intranets or any other cost-effective means.
- Staff are aware that any data subject requests are actioned immediately and the DPO is notified.
3. Consultant adviser
The DPO should be considered as a trusted impartial adviser to the organisation, one who will instil best practices and confidence both internally and externally of the organisation.
The DPO should, as a trusted adviser, consider the following:
Organisational information / system processes
Understanding the data flows, from how data is captured (the channels) and permissions obtained, to how the data is processed, transformed, retained and used is fundamental to ensuring that information integrity is maintained. Something which must be understood by the DPO to ensure they can answer any requests or queries that may emerge with confidence.
Technically, it would be prudent to understand the system processes and the associated production systems to ensure that any ‘data touch points’ are fully understood or at least documented / audited regularly.
Practices (formal / informal)
The DPO must understand organisational culture (ways of working), the market it operates in, and its operational practices to ensure that the best processes regarding data management and data usage are maintained.
Whilst this may be documented, I would strongly recommend the DPO occasionally undertakes a ‘sitting with Nel’ exercise to perform random checks with staff to ensure they are comfortable with actual data processing policy enforcement.
The DPO should be familiar with all data capture channels, layers of the enterprise technology landscape and data air gaps that may be prevalent and advise on possible attack vectors to pre-empt any possible breaches of data privacy.
To ensure consistency between the DPO and the data controller or processors all decision-making with regards to requests or DPIA outcomes must be documented, including any difference of opinion that may arise during the governance meetings.
Organisation information patterns
During his tenure as the DPO the individual should, where possible, add value by highlighting common patterns observed and, more importantly the remediation actions for the controllers to introduce.
A DPO is in a favourable position as they can step back and highlight common reoccurring patterns that may be missed by the data controllers / processors.
4. Central point of contact for the supervisory authority
The DPO is the primary point of contact for the ICO i.e. the UK Information Regulator.
Any communication between the DPO and the ICO must be documented and relayed to senior management of the organisation in a timely fashion.
5. Central point for data subjects
The DPO is the primary point of contact for all data subjects (employees, business partners and customers) and thus a key contact for any data subject requests (DSARs), be they employees, business partners and customers or any third party that the organisation may hold information on.
This is a crucial element of his / her duties - any subject access request should be managed promptly and communication by the DPO and the data subject must be rapid and prompt.
How could / should a data protection officer (DPO) perform their duties?
This is not an easy question to address as no two organisations have identical systems or processes in place. Thus, the DPO should embrace the technology, culture, processes and patterns of his specific organisation and industry sector when providing oversight.
To deliver their duties the DPO must play an active part of the data governance process and in many cases may serve as the gatekeeper on some projects.
The DPO should chair monthly schedule meetings to ensure that any requests are put into motion and tracked, but also, as a background process, validate these actions.
The DPO must be alerted to and be notified to inform and manage stakeholders immediately in the event of any breaches and ensure that all immediate risks are mitigated.
The DPO is a ‘service provider’ in terms of managing the organisational obligations under GDPR and, as such, should also be subject to performance metrics, where possible?
However, as data governance and compliance will always trace back to a GDPR directive it would be prudent to ensure artefacts exist which support the GDPR functioning processes.
Please note that each item could result in multiple documents and templates e.g. the DSAR, would result in documents to ensure we capture the ‘who, what, when, how’ and should ideally be represented using standard notations (BPMN,UML).
Below is a list of key documents which should be available for review and provide a foundation for the compliance integrity check (CIC) during the DPO monitoring phase.
| Article | Artefact | Comment |
|---|---|---|
| 24 | Policy: Personal Data Protection | Level 0 policy document addressing the management of privacy in the organisation defining the desired processes and outcomes (what and how). |
| 12,13,14 | Notice: Privacy | This notice explains how you will process the personal data of subjects e.g. employees, customers, website visitors and others - as a default posted, or a link should be available on the public website of the organisation to allow easy access. |
| 12,13,14 | Notice: Employee Privacy | This explains to interim and permanent staff how the company will process their personal data (which could include diversity information, health, criminal records, etc.). |
| 5,13,17,30 | Policy: Data Retention | This document captures the process for data retention (on-site and off-site) and should reference classification/ types of personal data and how data will be securely destroyed/removed. |
| 30 | Schedule: Data Retention | This is a list of personal data file/record rotations and how they will be stored and deleted - describing the retention period for each type of data. |
| 6,7,9 | Form: Data Subject Consent | Lawfulness of processing & conditions for consent! This is the most common way to obtain consent from a data subject to process his / her personal data. |
| 8 | Form: Parental Consent | Only if the data subject is below the age of 16 years, then a parent needs to provide the consent for processing personal data. |
| 15,17,17,18 | Form: Data Subject Access Request | The actual request - a standard template to allow a consistent process to be followed. This should capture the actions or rights (access, erasure, rectification) in a consistent way. |
| 35 | Form: DPIA | Data protection impact assessment - see template from ICO |
| 35 | Register: DPIA | Document to record all the results from your data protection impact assessment. |
| 28,32,82 | Form: Supplier Data Processing Agreement | This document is used to regulate data protection with a processor or any other supplier. Important if you are using third parties - Downstream compliance. |
| 4,33,34 | Notice: Data Breach Response and Notification Procedure | The document outlines the triggers/actions/events that are undertaken before, during, and after a data breach. (When/How/Who) |
| 33 | List: Data Breach Register | A register for recording all data breaches - time-stamped to show actions/responses and notifications. |
| 33 | Notice: Data Breach Notification Form to the UK Supervisory Authority | In the event of a data breach, the URL for ICO notification is: ICO (https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/) |
| 34 | Notice: Data Breach Notification Form to Data Subjects | In the event of a data breach, a standard set of templates should be used to notify data subjects of the breach and the remedial actions taken. |
Additional documentation that, whilst not necessary, makes the GDPR process management smoother and can add value and simplify the compliance workstream in organisations.
| Articles | Artefact | Comment |
|---|---|---|
| 2 | List: Material Scope - High Level Automated Data Flows | This documents the information lifecycle i.e. movement of data from ingestion, tidy, transformation, visualisation, modelling and distribution - represent as a set of ‘swim lanes’. |
| 1 | Policy: Subject Matter | This document provides an overview of the macro-organisational policy for the protection of fundamental rights of natural persons. |
| 24 | Policy: Employee Personal Data Protection | Like the top-level personal data protection policy, but this one focuses specifically on employees. |
| 12,13,14 | List: Register of Privacy Notices | If privacy notices are published in multiple locations/channels it would be prudent to record each URL, portal or file store to allow control over all of them. |
| 7 | Form: Data Subject Consent Withdrawal |
Template document to record when a data subject wants to withdraw his / her consent. |
| 8 | Form: Parental Consent Withdrawal | This is a standard form to allow you to obtain parental consent for a minor i.e. a data subject younger than 16 years. |
| 7,15,16,17,18,20,21,22 | List: Data Subject Access Request Procedure | Documents the subject access request (SAR) process defining (who, what, when) of activities when the organisation receives a SAR. |
| 15,17,17,18 | Form: Data Subject Access Request | The actual request - a standard template to allow a consistent process to be followed. This should capture the actions or rights (access, erasure, rectification) in a consistent way. |
| 15 | Form: Data Subject Disclosure | Template to ensure information is sent consistently once a data subject access request is made. |
| 35 | List: Data Protection Impact Assessment Methodology | See Working Party Document WP248 - guidelines on how to perform DPIA; also guidelines available from ICO |
| 1,44,45,46,47,49 | Schedule: Cross Border Personal Data Transfer Procedure | A guideline that documents the transfer of personal data outside of the European Economic Area (EEA). |
| 30 | List: Guidelines for Data Inventory and Processing Activities Mapping | An inventory of processing a activities that can serve as a guideline to help complete documents. |
The following are non-mandatory documents that may or may not be required and can support the GDPR delivery service.
| Articles | Artefact | Comment |
|---|---|---|
| 37,38,39 | Schedule: Data Protection Officer |
Roles/responsibilities - see guidelines on DPOs (Working Party 243 rev0.1). Providing due diligence, regular monitoring of systematic processing. Engagement model if third-party / Formal statement of work. |
| 30 | List: Inventory of Processing Activities |
Best Represented as a set of BPMN ‘swim lane’ process flows - mandatory if: (i) Company has more than 250 employees; or(ii) Processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (iii) Processing is not occasional; or (iv) Processing includes special categories of data; or (v) Processing includes personal data relating to criminal convictions and offences. |
| 46 | Form: Standard Contractual Clauses for the Transfer of Personal Data to Controllers | Mandatory if transferring subject data to a controller outside of the European Economic Area (EEA) and relying on model clauses as your lawful grounds for cross-border data transfers. |
So, what are day initial activities for a DPO
As many of you reading this will either be new in the role or in the process of starting a role I would like to share my day one activities;
- Understand the technology estate and core systems.
- Deep dive into and understand the channels used to collect and push information around and outside of the organisation.
- Ensure that the artefacts discussed above are in place with associated processes there to support them.
- Ensure that the DPIA / DSAR / breach and notification and Consent documents and processes are embedded as part of the organisational culture.
- Keep reminding the senior management of the impact of non-compliance.
Conclusion
As the controller and processor are liable for meeting the obligations, it would be of no surprise that they seek legal counsel on the production of various artefacts. The DPO should have a solid enterprise and security architecture background where they understand core organisational systems and the regulatory needs (I myself have read the actual text of the GDPR several times) - most importantly someone who can add value and hit the ground running on day one. The role of the DPO is well documented and many sources exist to help in the DPO journey. I hope this small article gave additional context and food for thought, and a must read, if you are interested in the role of the DPO, is the Guidelines on Data Protection Officers (‘DPOs’)
If you are a newly appointed DPO - Good Luck!
