Call us on :   020 3793 5561

A day in the life of the DPO

The role of the Data Protection Officer or DPO although around for a long time pre GDPR, was mandated under the new General Data Protection Regulation (GDPR) which came into force in May 2018 for public bodies and specific processing activities.   In May this year, the International Association for Privacy Professionals (IAPP) reported that over 375,000 organisations had registered DPO’s with over 32,000 organisations being in the UK.  Although a mandatory requirement in some cases, the DPO has proven to be a very valuable asset for an organisation, whether internal or outsourced, mandated or not; they help to guide a business through a myriad of laws and regulations reducing the risk of data breaches and protecting individual’s personal data.  As such, the demand for DPO’s has grown rapidly, to the extent that a Reuters article in February 2018 called them “hot property”.

We interviewed a number of DPO’s from various industries to get an insight into the role, including a typical day as a DPO and the challenges faced.  Many of our DPO’s have been in the Information Governance, Risk and Compliance field for around 20 years, however the DPO role has come into its own in the last 3 years and has radically changed from what it once was. DPO Louise Garrett believes that “…the main change has been the significant shift in the mindset…towards the value of a DPO – I think even three years ago no one would have seen the value in a full time DPO.”  It’s new and ever-changing.  Kristy Gouldsmith, a Data Protection Consultant described how the role has changed: “In the beginning, many companies thought that the GDPR/DPA wouldn’t affect them and there was a severe lack of knowledge about it. After May 25th (2018), many of our clients adopted a more grown up approach to data protection and realised the business benefits that come from respecting personal data.”

It’s the impartiality of the DPO, while still supporting the business aims of the organisation, that makes it such an interesting role.    The DPO isn’t a person to be scared of, and they are extremely valuable to a business navigating its way through these new muddy data waters.  Technical controls alone no longer offer a sufficient level of protection.  Michael Lewis, explains, “DPO’s have to be multiskilled, comfortable with technology and the relevant laws, but also be able to communicate and articulate what are reasonably complex topics to both data subjects and board members.”  Rich Brameld, DPO & Head of Information Governance at Push Doctor supports this view of how integral it is for a DPO to be aware of what’s going on at all levels of business.  “I don’t see how any DPO can be effective if they aren’t aware of the day to day running of, and the challenges faced by, the business they are in.  It’s important to see and been seen!”

Bev McGowan, Director of The Specialists Hub and Outsourced DPO explains “the role has been through a number of phases over the past few years, from analysing and understanding the new regulations, to developing the privacy programs to deliver the new requirements, gaining stakeholder support  and funding, understanding the data we collected and processed, putting in place the new operating models, policies, processes, controls, education and contractual agreements to operationalise privacy and security, to overseeing those operational processes and controls and managing the risks ongoing and maintain compliance.”

So, what does a typical day look like for a DPO? Well, a typical day doesn’t exist because businesses revolve around data and therefore the DPO is involved in many different activities and initiatives every day.  Rich Brameld admits, “It’s a cliché, but no two days are the same – and that’s what makes it interesting.”  Kristy Gouldsmith explains, “We might be out auditing one day, to dealing with subject access requests and redactions another day, to advising directors of their responsibilities the next day.”

And the variety doesn’t end there.  Other DPO’s we spoke to detailed the variety of activities they undertake such as, day-to-day business compliance, drafting Information Sharing Agreements, supporting the business with Data Protection Impact Assessments, exploring new ideas on how to maintain compliance whilst still meeting business outcomes, providing education initiatives to staff and putting long-term strategic plans into action.

The role of the Data Protection Officer has, it can all be agreed, been a positive move forward in protecting the rights of data subjects as data mining becomes the new gold rush and technology advances such as Artificial Intelligence and IoT.  With the Cambridge Analytica scandal, and the reality dawning on us all about how and why our data is collected and used, the DPO can protect both businesses and individuals from falling foul and victim to criminal and unethical use of personal data.  One DPO, who wished to remain anonymous told us that the focus has definitely shifted to “…people and privacy, highlighting that there is a person at the end of the data trail and that an organisation is being entrusted to protect them as a person when it comes to their information.”

So, after spending the last few years reviewing our data processing activities and implementing the necessary processes and controls to comply with the GDPR, where are we now?  Many DPO’s have been asked when they’re leaving because the GDPR work is done.  Actually, it’s not!  One anonymous contributor described it as a “journey to compliance.”  We are still learning, understanding and devising new ways personal data can and should be used.  Another anonymous contributor sees the “…challenge of addressing data retention and unstructured data, [the] emerging focus on ad tech and other uses of personal data in the digital space…” as being one of the biggest challenges for the DPO over the next year. It is imperative that board members maintain their ‘buy-in’ and education continues to be rolled out at all levels for organisations and businesses to maintain their integrity and trust.

It is clear this is an interesting but challenging role to be in, and the DPO is a valuable asset to any business in the environment we are in with increased focus on privacy, new privacy laws coming into force around the world and an increase in data breaches, enforcement and fines from supervisory authorities.

Author: Emma Gallagher, Consultant at The Specialists Hub Ltd

.

Read some of the full DPO interviews below

Rich Brameld, Data Protection Officer & Head of Information Governance, Push Dr Ltd.

 

How long have you been a Data Protection Officer for and how has the role changed over that period?

I have been working in various data protection roles, including DPO (none mandated, pre GDPR), Head of Privacy, Head of Data Protection and mandated DPO for 13 years. My roles have varied significantly and have straddled both first and second line (of defence) roles in that period as I have worked across a number of different sectors including utilities, finance and healthcare. I have owned risk and advised on risk. My first Data Protection role was termed Data Protection Officer, but this was more of a job title to specify responsibility for all matters relating to personal data and data protection than the advisory role we see now in the mandated position.

What does your typical day look like as a DPO, a year on from the GDPR coming into force?

It’s a cliché, but no 2 days are typical or the same – and that’s what makes it interesting. I (make a point of ensuring that I have involvement in all that’s going on. There may be no actual requirement for my presence in terms of any impact to personal data, but I make a point as a somewhat autonomous leader to have a full understanding of all the business is doing. I don’t see how any DPO can be effective if they aren’t aware of the day to day running of, and the challenges faced by, the business they are in. It’s important to see and be seen! (an old adage of my grandparents that seems to fit all scenarios).

What has been your biggest challenge over the last 12 months?

Outside of my role, my biggest challenge has been overcoming the scare mongering about GDPR and the DPA 2018 and re-educating people.

So much misinformation was prevalent in the media and across social networking that I imagine that many of us who have worked in this area for a number of years have spent way too many hours trying to undo the damage that people naively created. A lot of people saw an opportunity with GDPR and decided to term themselves as Privacy and Data Protection experts, with very little practical or operational knowledge to advise on what is essentially a risk-based regulation.

What has been your biggest success in the last 12 months?

My biggest success has been proving to people that getting Data Protection ‘right’ can be a driving force across many facets of an organisation.

For most of my career, I’ve faced the ‘what value do you add to this business if it’s not the bottom line’ brigade. The last thing I address is what happens if we get it wrong.  My approach is to educate how Data Protection drives trust and brand loyalty by demonstrating a commitment to doing business the right way; showing that the introduction of GDPR and DPA 2018 are opportunities to refresh working practises and prove that compliance should never slow down innovation and growth; using them to drive effective risk management – to mitigate risks and to enhance and augment decision making and to drive efficiency with compliance as a real time process, considered in all we do (rather than a clean-up process).

 Where do you see the biggest challenges for yourself and other DPO’s over the next 12 months?

Aside from educating people on the role of the mandated DPO, I think many of my peer DPO’s who have stepped into the role from first line roles may find it challenging stepping back to act in an advisory role only. You’ll normally find that highly experienced Privacy and Data Protection professionals are also a number of other things by virtue of the work they’ve had involvement with – strategic business leaders, risk and control experts, marketing experts and great information technologists. If these people haven’t worked in second line roles, they’re likely to find the position quite restrictive and may find themselves inadvertently stepping outside the confines of the role (and some of the job security that comes with it!). For me, showing people the benefits of getting it right affords me the satisfaction I might miss from being able to add value in other ways if the role weren’t mandated.

The other challenge I see is accountability. Historically, as a small regulator with few subject matter experts across different sectors, the ICO have relied on the professional integrity of Privacy and Data Protection professionals and the organisations they work with.  In the next 12-18 months, as they educate themselves and we all continue to educate the public, any drive for enforcement will be easier than it ever has been before – demonstrating compliance to a regulator, customers, partners and suppliers isn’t the same as providing unevidenced assurance.

Matthew Kay, Thomson Reuters

How long have you been a Data Protection Officer for and how has the role changed over that period?

I have been a DPO for approximately 3 and a half years prior to this I worked for the regulator leading teams auditing data protection and privacy compliance.  The role has risen greatly in profile and stature since the introduction of GDPR

What does your typical day look like as a DPO, a year on from the GDPR coming into force?

This will differ between organisations but most DPO’s are likely to split their time between day to day business as usual compliance and longer-term strategic projects to maintain projects as well as tackling historic legacy issues.

What has been your biggest challenge over the last 12 months?

Maintaining continued compliance following the introduction of GDPR.

 What has been your biggest success in the last 12 months?

 Achieving a set of core objectives mapped out for GDPR compliance within the strategy document that was endorsed by the CEO at the company I worked for.

Where do you see the biggest challenges for yourself and other DPO’s over the next 12 months?

Continued compliance and maintaining senior leadership engagement and working to ensure the programme put in place for GDPR is sustainable and well managed.

Michael Lewis, DPO, Admiral Group

How long have you been a Data Protection Officer for and how has the role changed over that period?

I started officially as the Group Data Protection Officer for the Admiral Group plc in 2007, having worked previously within various operational roles and as an Internal Auditor, focused primarily on regulatory and information risk.

The role has changed considerably, and the extent and pace of the changes do not seem to be letting up.  When I started the focus was very much on ‘protection’, and personally my role was very much centred on UK privacy law, specifically around access rights, exemptions and some aspects of security.  Over the years the data protection world has changed – focus shifted relatively recently on to how businesses actually collected data, directly or indirectly.  Part of this was fuelled by people’s interpretation of ‘consent’, some of it by increased focus through the GDPR and conversations around ‘lawful basis’, but also by concerns around social media usage and data harvesting practices.  I think the next big public focus will be squarely on what businesses are doing with the data and also ensuring that they are in a position to explain the processing, the outcomes and the impact of the processing, particularly when it comes to new technologies, AI and machine learning – data ethics is popping up everywhere now, and DPOs should be involved in these broader conversations.

In addition, data protection has matured over the years from being a day-to-day operational consideration to now being a key strategic risk.  This means that it has now become a frequent agenda item within Board meetings. To accommodate this, DPOs have to be multi-skilled, comfortable with technology and the relevant laws, but also be able to communicate and articulate what are reasonably complex topics to both data subjects and Board members.  It is now a rather noisy space to operate in and everyone has their own view, whether based on personal experience, common sense or empowered by perpetuated myths circulating on social media.

 What does your typical day look like as a DPO, a year on from the GDPR coming into force?

I do not think I have a typical day anymore.  I can guarantee that I will have at least one meeting about a new idea or ‘innovative way to provide a Service’ through a new shiny app or tool.  I am fortunate to have a great team next to me in the UK, but also within our continental European businesses, so part of my day will be spent providing a steer or a challenge on one or more of the various Privacy Impact Assessments that are being conducted at that time.  I will typically spend some time with my colleagues within other areas of risk and regulatory governance, particularly when dealing with topics that have multiple Regulators interested. 

A fair amount of my time is spent travelling to the Group’s various locations and keeping in touch with the privacy teams and senior managers.

I also keep a regular daily space for the gym – it is my thinking time.

I can also guarantee that time will be spent either reviewing a report or producing a report.  GDPR has meant that there a now countless management information packs, reports and slide decks.

 What has been your biggest challenge over the last 12 months?

The biggest challenge has been keeping up the momentum.  12 months ago, everyone was talking about GDPR and everyone had received multiple “we have updated our privacy notice” emails.  Interest levels in data protection were at their highest and DPOs probably never felt so popular – there were countless invites to meetings to discuss what we were doing for GDPR.  However, businesses naturally move on to the next big thing and can quite quickly but accidently forget about all these changes that they went through and the concerns that they had.  The challenge was ensuring that nothing slipped, but actually we embedded, refined and matured those changes.

What has been your biggest success in the last 12 months?

There have been a number of things that I consider as successes.  Privacy by design (and default) is not something completely new to the business I work in as I initiated processes within our project and product development areas a number of years ago.  However, this has been revitalised, extended and formalised to cover all manner of processes and changes in all of our UK and EU based businesses, and done so in a rather business friendly and sympathetic way. 

The last thing we wanted to do was to stifle or block innovation and developments.  Not only would it harm the business, but it would perhaps tarnish the role and standing of a data protection professional.  I also suspect that people would naturally look to work around it, cut my team out of conversations or simply be too scared to suggest an idea.  So, it was fundamental to come up with processes, such as Privacy Impact Assessments, that suited to way the businesses operated, were robust enough in terms of challenge, efficient to produce but were clear and succinct enough for senior managers to understand.  Not a simple task given that a business like Admiral has a variety of governance models, regulatory frameworks and reporting mechanisms.  However, 12 months on the processes are going strong and helping to increase understanding and awareness of privacy and data protection risks right across the Group.

Where do you see the biggest challenges for yourself and other DPO’s over the next 12 months?

 As mentioned, within the financial services, the topic of data ethics is increasingly popping up.  When combined with the speed of technological advancements and regulatory developments, then I reasonably expect that I will spend a lot of time researching and learning over the next 12 months.  For me, a key requirement to being an effective DPO is understanding the business and area that you work in – the biggest challenge is always keeping this knowledge up to date and being able to recommend and suggest better or alternative ways of doing things.  Additionally, my focus is on developing my teams and ensuring that we have a whole new cohort of future DPOs snapping at my heals.

Louise Garrett, DPO, The Percy Hedley Foundation

How long have you been a Data Protection Officer for and how has the role changed over that period?

Full time role as a DPO for 24 months, prior to that I was a compliance leader at another organisation with DPO as small part of my full-time role.

 Although working for 2 different organisations in 2 different sectors, I think the main change has been the significant shift in mindset and buy in from board level down  towards the importance and value in the role of a DPO – I think even 3 years ago no one would have seen the value in a full time DPO role. 

 What does your typical day look like as a DPO, a year on from the GDPR coming into force?

Monitoring policies and procedures relating to data protection, completing compliance audits, issuing actions and recommended best practices and following up on these, designing and delivering ongoing training staff, answering ad-hoc queries and keeping a log of these, reviewing DPIAs, board reporting, managing SAR requests, investigating data breaches, feeding into the risk register, project groups and IT infrastructure strategies. 

 What has been your biggest challenge over the last 12 months?

 Limited resource and financial constraints. 

 What has been your biggest success in the last 12 months?

 That I got our very complex data mapping completed and we now have a baseline compliance status with a future action plan to get to where we need to be. Due to the resource and financial constraints this has actually been a huge achievement that at times didn’t even seem achievable given how much we had to do. 

 Where do you see the biggest challenges for yourself and other DPO’s over the next 12 months?

The drawn-out BREXIT issue has caused a lot of confusion and hold up’s especially around sharing data within the EU (will we be part of the EU or not) and the knock-on effect of contract clauses etc. A lot of required legislation and supporting guidance etc. from the ICO and government is all on hold (still).

 Aside from Brexit my personal biggest challenge is going to be our required new IT infrastructure to support the second phase of our compliance journey. 

Anonymous DPO

How long have you been a Data Protection Officer for and how has the role changed over that period?

I’ve been working in Data Protection since 2008 but only for the last 3 years in roles specifically designated as Data Protection Officer.  The most significant change has been the raising of the profile of the subject. When I began (working in Government) it was a real struggle at times to get people to understand why it mattered. Now, thanks in large part to GDPR, the awareness of the importance is there, although that is not to say there aren’t still big challenges.

 What does your typical day look like as a DPO, a year on from the GDPR coming into force?

It’s a mixture of the strategic and the tactical.  I’ve recently joined a new organisation so I’m still getting to grips with  the data protection landscape here but there are always the requests from the business for new things they want to do that need to be reviewed, advice on how to respond to the more challenging data subject rights requests whilst making time to think about how culture, policies and processes can be further improved.

 What has been your biggest challenge over the last 12 months?

Maintaining the momentum generated by the GDPR deadline to drive through progress on the outstanding activities necessary to get closer to full compliance.

What has been your biggest success in the last 12 months?

Having a marketing team who now factor in data protection and privacy at the outset of all their planning.

Where do you see the biggest challenges for yourself and other DPO’s over the next 12 months?

Ongoing challenge of addressing data retention and unstructured data, emerging focus on ad tech and other uses of personal data in the digital space.  We’re also still waiting for the first post GDPR fines to be issued by the ICO.  Depending on the level of those we might see a change in risk appetite at the board level which could drive big changes in our approach.

Spread the word:
  •  
  •  
  •