‘GDPR’ has become a familiar term.
We recognise the visible and consumer-facing aspects of the General Data Protection Regulation in our everyday lives – when consumers exercise their right to withdraw consent to their data being processed via ‘opt out’ or ‘unsubscribe’ buttons, for example.
What’s less evident is whether organisations are keeping their practices fully up to date and in line with the GDPR and other applicable data protection laws. For instance:
- Since adding unsubscribe buttons, those same organisations may have purchased marketing email lists without confirming the lawful basis under which the personal data was collected and sold.
- Where the organisation has bought a marketing list, did it screen that list against its list of people who have previously opted out, so that it removes those individuals from the purchased list before starting to market to them?
- Since the EU GDPR was adopted in 2016 and became enforceable from 2018, we’ve had the DPA (Data Protection Act) 2018 and Brexit in the UK.
- More than 20 articles have been withdrawn from the EU GDPR to make the UK GDPR, and the DPA 2018 has been amended to be read in conjunction with the UK GDPR.
So, how sure are you that your organisation is fully compliant with the relevant data protection legislation?
In this blog
- ‘Once compliant’ does not mean ‘still compliant’
- Data protection is international
- Guiding others towards compliance
- Data breach management
- Knowledge, skills and competence
‘Once compliant’ does not mean ‘still compliant’
If you’re anything less than 100% sure, there’s a fair chance that someone, somewhere, has assumed that nothing has changed internally or within the law.
Just because you sought expert opinion on the matter a few years ago doesn’t mean you’re in the clear. ‘Once compliant’ doesn’t mean ‘still compliant’.
Previous decisions made – like not having to appoint a DPO (data protection officer), or not needing to conduct a DPIA (data protection impact assessment) – need to be kept under review.
Circumstances can change, as can guidance from the ICO (Information Commissioner’s Office), EDPB (European Data Protection Board), and similar bodies. Organisations should make someone responsible for monitoring such changes.
Data protection is international
The EU GDPR, UK GDPR and DPA 2018 aren’t the only laws you may need to comply with.
Data protection laws exist in almost every country and are relevant wherever you do business. You can design your systems and processes such that they meet all these legal requirements. A management system like an ISO 27001 ISMS or an ISO 27701 PIMS can significantly help with this.
But compliance requires clarity.
If you don’t understand the topics in detail, you risk conflating one standard or regulation with another, causing you to lose out on multiple fronts.
Conflicting laws
You’ll see few conflicts in Europe, as the EU GDPR was designed to integrate with EU laws. And post-Brexit, differences in UK and EU data protection law have remained small (though not non-existent, as discussed earlier).
But the further afield you go, the more problems you might run into. I experienced this when doing some GDPR work for a large Saudi Arabian organisation – a national law prevented it from being allowed to report data breaches with a risk to data subjects outside the country. And where laws compete, the strictest law always applies.
DPOs and data privacy leads need to know how to deal with situations like that. They’ll have to find a workaround like publishing a statement on the website along the lines of: ‘Please be aware that you might want to change your password at your earliest opportunity.’
Being able to clearly distinguish one regulation from another to unpick any problems is a key skill for a DPO.
Finding this blog useful? To get notified of future
expert insight like this, subscribe to our free
weekly newsletter: the Security Spotlight.
Guiding others towards compliance
Another key way in which the DPO (or privacy lead) can help give the organisation clarity into its data – and compliance – is by asking the right people the right questions.
The DPO’s role isn’t to ‘do’ compliance themselves, but to monitor compliance, as well as guide others – especially business line managers – in taking the right actions. So, ask questions around what personal data they’re processing, and why and how they’re processing it. You could also visualise this information in a data flow map.
Until you get clear answers to these questions, you won’t be able to get clarity on:
- Lawful basis
- The risks of processing
- Whether a DPIA is needed
- Necessary technical and organisational measures
- Information needed for your ROPAs (records of processing activities)
The most reliable way to obtain all this information (and more!) – and ensure ongoing compliance – is to appoint a data privacy lead.
Data breach management
The value of having someone trained in data protection and privacy isn’t just apparent during business-as-usual times, when the DPO helps in the decision-making process through objective assessment and, where required, using tools like data flow maps and DPIAs.
The DPO or privacy lead also plays a pivotal role if a data breach occurs. They can assess the risks, offer practical advice – including about what follow-up action is needed to contain and mitigate the breach – and report it to the ICO if required.
To be effective in both business-as-usual matters and during business disruption, the DPO or privacy lead must secure the support of senior management – not just to have sufficient resources at their disposal, but to be able to introduce changes where needed.
This includes implementing lessons learned following a data breach.
Knowledge, skills and competence
Experience will stand a DPO in good stead, but isn’t a substitute for competence.
Apart from having a good grasp of the relevant regulations and excellent fact-checking abilities, a DPO will need to follow processes and be able to handle people well. Few people like change, so being able to convince them of the merits of those changes is an essential skill.
As the DPO or privacy lead, you’ll be the go-to person, the ‘safe pair of hands’, the trusted adviser and the mediator. You’re not just going to be following procedures with care and caution – you’ll have a wide range of stakeholders to deal with.
Effective DPO training covers the ‘how to’ part of the role as well as the ‘what and when’.
At IT Governance, we give guidance on what it means to be responsible and accountable in a DPO or data privacy leadership role. That’s what makes the difference between someone who has been handed a task and someone who is up to the job.
And remember: how a person performs in their role ultimately determines their prospects and the commercial wellbeing of their organisation.
Ready to elevate your career and become a certified data protection expert?
Our industry-leading Certified Data Protection Officer (C-DPO) Training Course is designed to equip you with essential knowledge and practical skills, positioning you as a leader in data protection.
Our comprehensive programme – led by an experienced practitioner – dives deep into the intricacies of the GDPR, ensuring you gain a holistic understanding of data protection principles and requirements.
With data breaches becoming increasingly common, the need for skilled DPOs has never been greater.
Don’t take our word for it
Here’s what previous course attendees say:
Dave Allison, DPO:
Andy has been excellent. He has made time for all of us, been very patient and has great training skills. I couldn’t have hoped for a better trainer.
Theresa Whelan, DPO:
Andy was very knowledgeable, very open to answering all questions and very engaging. Course was given at a good pace and I feel all the areas a DPO need to cover was included and it will definitely benefit me in my role.
Cieran McAuley, Safe Places for Children NI:
I have to say that the trainer was excellent throughout the course. He was very knowledgeable and provided me with the skills and knowledge to undertake the changes needed in our company. Was great to have such a passionate and enthusiastic trainer.
We first published a version of this blog in December 2023.
The post What It Takes to Be Your Organisation’s DPO or Data Privacy Lead appeared first on IT Governance UK Blog.
