August 7, 2020
Max Schrems sits down next to me as the Q&A at the Data Protection conference starts. I have positioned myself in the far corner of the room near the wall due to a severe attack of imposter syndrome, and usefully for Max near a plug socket to juice up his phone. He has just explained to the audience the process by which he constructed the case against Facebook – a lot of people’s jaws are still on the floor.
I try to act cool. I wonder if an autograph request is weird and a think very hard about how not to look like a stalker. So, I opt for a “Hi, your session was very good” and quickly text my nerdy friends to tell them who I am sat next to.
A hand goes up in the audience and a guy addresses the speaker, “What do you think of all these NEW Data Protection Officers (DPO)? You know just qualified, not lawyers, no experience”. Earth swallow me up, I think – that’s me! Is some sort of spotlight going to shine on me in the audience? What will they say about these “new” non-lawyers who have not got 15 years’ experience, these new kids on the block?
The answer given is a bit of a fudge and the speaker is obviously cognisant of the audience and the likelihood that there will be “new” DPOs in the room (one is sat next to Max Schrems). The response covers the clear need for expert knowledge as set out in the legislation but also the demand for DPOs (data protection roles are one of the fastest growing careers in the UK).
Now a few years into my career as a DPO, I wish I had had the guts to stick my arm up and say “so what do you think about all these “old” DPOs and how will they cope in the new era of data protection. My view now is that the role demands so much more than the few lines set out in the GDPR. Whilst there is always good and bad in every profession, I am not of the view that time served equates to being competent.
Here is my thinking. Read any book on “Being a DPO” and it is like some sort of “How to make a cup of tea” learning exercise where the person you are instructing ends up with scalded hands and no tea bag in the cup as the instructions are incomplete or unclear. The “checklist” and “assessment” approach in a massive matrix organisation is hardly practical or effective. The question sets are often steeped in data protection language that will quickly result in people becoming very busy and hitting decline when you try to book an “interview about data ownership”. Similarly, “tell me about the processing activities in your team” will quickly get you off the Christmas card list.
Based on my four years working in data protection, I have recognised that there are a lot of areas where “new DPOs” with different “non-traditional” backgrounds can be of real value to organisations. So, if you are thinking about recruiting maybe look beyond the traditional and think about some of these additional skill areas too.
New is new! GDPR just celebrated its second birthday we are still waiting on a new ePrivacy Regulation, Brexit issues to be clarified and various technologies that are seen as potential solutions to the COVID crisis. Who knows what is coming next! Regardless of your years of experience, the process of understanding how the legislation is being applied, how the regulator is working, how fines are being applied is new to most people. Even if you joined the party 15 years ago, things are only just getting going. The expert knowledge here is not based on history but on the present and the ability to horizon scan and see the direction of travel. Keeping up to date and spotting the trends are vital (see the recent surge in use of AI and machine learning). This can be achieved by a good reading list and a network of peers teamed with good business knowledge and understanding of how business works and the competing pressures they are under.
By this I mean the ability to get the information across in a way that means the colleague can answer the questions. Not everyone in marketing, customer operations or retail will know the legislative definition of “data processing” or a “personal data breach” – much of the skill is in the quality of the question and understanding various business areas. Maybe,
“Tell me about what you do in this team?” followed by…
“So, to do that, what information do you use?”
“Awesome, so who in the team collects it and where do they keep it?”
And on it goes. But this is not data protection for dummies. This is data protection for real people and it can be surprisingly hard to communicate effectively. If people are unclear on the question the natural response is “No, we don’t do that here”, which can be misleading.
It is highly unlikely that anyone will trot into a DPO’s office with arms full of beautiful data maps and completed questionnaires. The more straight-line thinking approach that appears to be missing from the textbooks is just to find out about the business process for hiring colleagues, on boarding new suppliers, designing new products and services and invite yourself to these meetings. Getting privacy hard wired into business processes is very effective at lowering risk. Depending on levels of maturity in a business, the DPO (or privacy professional) might not be on everyone’s invitation list when planning a meeting so being a little bit forward here helps. You can make good progress quickly by assessing and freezing risks and identifying ways to build on existing process to include Privacy by Design and Default.
In all communication, knowing your audience and adjusting your style is key. Internal communication requires you to span the full company organisation chart. The Board update and the team communications need to hit very different marks but they still need to be effective. Textbooks will struggle to help you with how to communicate well within your own organisation – all have different styles and approach to hierarchy. The chair of the Audit Committee and the sales team member both need to know what the specific risks are in their role and what they can personally do to mitigate them. It is never about whether you personally understand the risks and the mitigations but about whether your audience has grasped it. Congratulating yourself on your deep data protection knowledge is not much help if no other bugger gets it!
Communication and interaction on privacy by external folk are driven from a number of different starting points – privacy advocacy, having a lot of time on your hands or poor service. The job description says be accessible. For me, that can be meeting them to discuss the concerns, a phone call, a letter minus all legal terms or a letter full of them! The measure of success is not how many people get in touch but (to me) how many get back in touch to say they were happy with the outcome.
Being a DPO doesn’t often involve giving people good news. And colleagues rarely show up and start the conversation with “Great news, DPO!” It usually goes, “Is it ok or not if we [insert data protection conundrum here]?”
How you respond to this will determine how effective your role is. The positive is that they are at your door in the first place, showing that awareness of all this “data stuff” has got through. The second point is that they won’t come back if you are rude or unhelpful. So, while my face might say, “You’ve done what?”, being relentlessly pleasant, calm and supportive is what is needed. People feel bad if they screw up – quoting article numbers and potential fines at them will only make them feel worse and next time they may not show up at all! You then have an even trickier job of finding out about an issue once it is far too late to do anything about it.
And finally, when it gets a little tricky, I have an awesome network of superstar lawyers, privacy professionals and fellow DPOs to call upon (social media is great for this). I attend sector specific sessions run by the British Retail Consortium (BRC) and have built a positive relationship with the regulator. Make your Chief Information Security Officer (CISO) your bestie, play nice with the Chief Information Officer (CIO) or Head of IT because when the rubber hits the road you may be in a small room for long hours with them!
With a webinar on virtually every data protection topic available, there is no reason to be poorly informed or not up to date. I don’t go it alone, I work with a team of experts to ensure we have the best outcome.
So, if you are working with a DPO who is new, don’t judge! The skills and expertise that they bring to the mix might just be the secret sauce to ensure that text flies off the page and becomes the new way that things get done. I try everyday not to be a dope and do some good DPO-ing, even though I might not fit the “ideal” description!
I have a sticker of Max Schrems on my laptop
Article 39 was not offended by the writing of this article
The WP29 group were I am sure using confirmation bias when recommending skills for a DPO ….something familiar feels like better advice than saying “go look for something new” it’s hard to imagine something you have not seen
I genuinely think there should be a Hat to go with the role of DPO
I am really nosey so ask way too many questions!
This week’s guest blog was written by Susan Roberts, Data Protection Officer at Clarks.
Connect with Susan on LinkedIn.
We’re the experts in getting data on your good side. Find out more about our data protection offering here.