GDPR compliance: In conversation with a DPO

On the three year anniversary of GDPR coming into force, VinciWorks hosted a webinar to look at the last three years of GDPR. We explored the effect the regulation has had on the way we collect and process data and what we can expect in the next 12 months.

During the webinar, we shared a conversation between our Director of Learning and Content Nick Henderson and our Data Protection Officer Ruth Mittelmann Cohen in which Ruth shared the inside scoop regarding the ins and outs of being a DPO. They discussed a DPO’s responsibilities, the challenges of being a DPO, as well as best practice with regard to GDPR within an organisation. In this blog, we’ll share with you some of the insights from that conversation and see what we can learn from it about GDPR best practice within organisations.

GDPR – Three years on: Watch the full webinar here

What are a DPO’s key responsibilities? 

A DPO really wears multiple hats: they need to be advisors, auditors, and project managers. On a day-to-day basis, there are a lot of tasks they need to be on top of, including:

  • Collecting information that’s required to identify data processing activities 
  • Continuously analysing the compliance of current processing activities 
  • Issuing advice and recommendations to the management and other team members
  • Maintaining registers such as the DPIA registers, instance registers, and general data processing activity registers
  • Assisting relevant teams when they’re carrying out a data protection impact assessment for new projects

What does GDPR have to say about DPOs?

GDPR discusses the role of DPOs in Article 38, highlights what the position should include, both in terms of skills required for the job and what is necessary in terms of support from the organisation. Here’s what you should know:

  • The DPO should be involved in proper and timely data protection issues, and needs to be up to date with things in real time, as they’re happening. A DPO should never be finding out about a breach after it happened!
  • The DPO should have access to sufficient resources they need to carry out their job fully and efficiently.
  • A DPO shouldn’t be given instructions by management, but rather should take responsibility and give instructions as necessary.
  • The DPO should be the main contact for data subjects and advisors if they have any questions.
  • There should be a clear communication channel between the DPO and the highest management level.
  • It’s important to make sure there are no conflicts of interest, which can happen when the role is not seen as a unique and separate role, but rather just another title given to an executive whose primary focus is in another role.

What do you need to know to be a DPO?

Though GDPR does provide some guidelines regarding the role of a DPO, it does not provide a list of professional qualities that are required to be a DPO, or prescribe a specific training process to become a DPO, and requirements naturally differ between organisations and industries. But is there a minimum set of qualities they should have and a set of standards they should follow? Here’s what Ruth had to say:

  • A DPO should have expertise in both the national and European Union data protection laws and practices, including an in-depth understanding of GDPR.
  • A DPO should follow case law as it’s happening to be aware of any red flags.
  • It’s important for a DPO to have knowledge of the business sector they’re working in and of how the organisation actually operates.
  • The most important quality of a DPO might be to promote a data protection culture that really ensures that both the organisation as well as its employees are actually compliant with GDPR and other data protection regulations.

What are the biggest challenges that face a DPO? 

We asked Ruth, who both has several years of experience as DPO herself and has met with many DPOs from other organisations, what some of the top challenges of being a DPO are. Here’s what she had to say:

  • Time management: As discussed, a DPO’s role includes many aspects, and it can be hard to find the time to do everything, so it’s really important to manage your time effectively.
  • There’s so much to keep track of: A DPO monitors the organisation’s compliance with GDPR and other data protection laws but also must be at the forefront of enforcing these policies, and of raising awareness and ensuring that training, audits, and registers all get done.
  • Keeping a strong spine: A DPO will often need to act as an intermediary between different stakeholders within a business and different business units inside an organisation, for example, between the marketing team and management. The DPO needs to stand up for data protection and make sure they can ensure their company is being compliant.
  • Accountability: The DPO is the cornerstone of accountability when it comes to data protection, so they really must ensure they’re facilitating compliance through the implementation of different accountability tools within an organisation, whether it be a data protection impact assessment, ensuring all employees have adequate training, or regularly questioning things and facilitating audits to be on top of what’s going on with different processes.
  • Staying alert always: A DPO must always be monitoring and ensuring an organisation’s compliance level is being upheld. Ticking off boxes once a year and then laying low won’t do the job.

Which tools can help a DPO?

There’s so much for a DPO to keep track of, but the right tools can go a long way in helping keep a DPO’s affairs and tasks in order. VinciWorks has developed tools and training that make it easy to stay on top of GDPR compliance. Ruth gave a quick rundown of some of the GDPR compliance tools we have that are a DPO’s best friend when it comes to implementing and keeping GDPR compliance running smoothly within organisations. 

  • GDPR complete online training suite: VinciWorks’ suite of GDPR and data protection courses are packed with multiple course versions, realistic scenarios, and every customisation option you can think of.
  • GDPR forms and registers: Create, track and automate the GDPR compliance process in one place using Omnitrack, our fully customisable tracking and reporting tool. Some of the most popular forms include:
    • GDPR processing activities register, a requirement under Article 30 of the GDPR, which needs to be completed for each individual data-processing activity that an organisation undertakes.
    • Centralised Subject Access Form, which can be used by data subjects to ask organisation’s for copies of any personal information held about them.
    • Data protection impact assessment (DPIA) form, which can be used to assess and treat any security risks for different processes.
    • Legitimate interest assessment form for digital advertising and other instances where justifying the processing of personal data is necessary.
    • GDPR incidents and breaches register, which helps you stay on top of any incidents that could have a risk of turning into breaches.

VinciWorks’ complete GDPR solution:

GDPR Register of Processing Activities

GDPR compliance should involve the entire organisation, rather than only specific departments that are deemed high risk. VinciWorks’ GDPR compliance solution is a one-stop-shop for complete company-wide compliance. Our suite of GDPR courses ensures that all staff are trained appropriately via interactive, customisable courses. Whether staff are well–versed in GDPR or require in-depth onboarding training, we have you covered.

We also offer a centralised GDPR reporting solution that allows organisations to create, track and automate all data protection registers, such as processing activities, data protection impact assessments and subject access requests.