A guide to the GDPR for a Data Protection Officer

“But in these cases
We still have judgment here; that we but teach
Bloody instructions, which, being taught, return
To plague the inventor: this even-handed justice
Commends the ingredients of our poison'd chalice
To our own lips.”

Data Protection Officers (DPOs) may feel that Shakespeare’s Macbeth wasn’t the only one to consider the ramifications of a poisoned chalice; as such officers are in the front line when it comes to the implement of the new General Data Protection Regulation. But rather than seeing the negative of additional burden, the new Regulation could be seen as a great opportunity for data protection officers to make a real difference by playing an increasingly-pivotal role within their organisation.

As BPE’s Data Protection Officer in the Risk and Compliance Team, I’m working with our Chief Executive, Business Development Director and our legal teams to ensure that BPE is ready for the Regulation, now less than 11 months away.

Has your organisation already got a DPO? Are you thinking of employing one? Are you thinking of using an outsourced provider instead? I thought it might be helpful to give some insight as to what a good DPO looks like.

What do I need to be a DPO?

• Expertise in national and European data protection laws and practices
  
  
• Understanding of the GDPR
  
  
• Understanding of the processing operations carried out
  
  
• Understanding of information technologies and data security
  
  
• Knowledge of the business sector and the organisation
  
  
• Ability to promote a data protection culture within the organisation

What would my key tasks be?

• To inform and advise the entire company about its obligations to this regulation
  
  
• To monitor compliance with the regulation including assigning responsibilities to others, awareness raising and training
  
  
• To monitor the company’s data protection impact assessment and report back on it when required
  
  
• To comply with the supervisory authority
  
  
• To act as the authority’s contact point 

What if senior management tell me I shouldn’t report a breach?

• Article 38(3) also requires that DPOs should ‘not be dismissed or penalised by the controller or the processor for performing [their] tasks’. This encourages independence yet you have sufficient protection when performing your role. Ultimately you cannot be sacked if you report a breach against the wishes of senior management

What should I expect from my firm?

• Active support of senior management
  
  
• Sufficient time to fulfil your duties
  
  
• Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
  
  
• Official communication the designation of the DPO to all staff
  
  
• Access to other services within the organisation so that you can receive essential support, input or information from those other services
  
  
• Continuous training

What challenges can I expect?

• With any big change, and a regulatory one at that, there is always going to be difficulties with the embedding, particularly with employees having to potentially completely change the way they work initially with their clients
  
  
• Senior Management understanding and buy-in, change starts from the top
  
  
• You’ve written the letters asking for consent, but received nothing back
  
  
• Interpreting the regulation - all 55,000 words of it
  
  
• Lots of questions, and not always being able to provide the answer (or until more guidance is produced)
  
  
• Understanding the ‘how, what, and why’ of all your firm’s data
  
  

GDPR: What should I do?

There is plenty of information out there on ‘steps to complying with GDPR’, but here are some practical tips for the now:

• Set up a GDPR task force, meet weekly, implement a gantt chart, make sure people know what is expected of them and give them strict timeframes
  
  
• Get those privacy statements written. I’m lucky that I work with fantastic lawyers who can do this!
  
  
• Send out those privacy statements and consent letters, but be sensitive to the relationship managers and include them
  
  
• Speak to your IT department about what system capabilities you may have when recording consent evidence
  
  
• Put GDPR on your risk register as a top risk - educate senior management
  
  
• Make a note of changes to your Policies as you go along. You don’t need to change it now, but just start becoming aware and mark up policies
  
  
• Include GDPR in any monthly bulletins you produce for employees
  
  
• Hold Lunch and Learn sessions for employees – with ‘another Regulatory training session’ a free lunch always encourages more people to attend!
  
  
• Keep reading the ICO website, it’s clear and understandable – use their online chat facilities if you have any questions
  
  
• Start to understand the ‘how, what, and why’ of all your firm’s data

We have 10 months to change the mind-set and approach of employees and with preparation, training and a real understanding of the risks; we will embed a culture where we will not be caught out by GDPR regulation.

If you would like further information, please feel free to contact Susannah Eaton either by calling her on 01242 248 461 or by emailing her at susannah.eaton@bpe.co.uk

These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.