‘GDPR’ has become a familiar term. We recognise the visible and consumer-facing aspects of it in our everyday lives. As privacy professionals, we see consumers exercising their rights to withdraw consent to their data being processed via ‘opt out’ or ‘unsubscribe’ buttons, for example.
What’s not so evident is whether organisations are keeping their practices fully up to date and in line with the GDPR. For instance:
- Since adding unsubscribe buttons, those same organisations may have purchased marketing email lists without confirming the lawful basis under which the personal data was collected and sold;
- Since the EU GDPR was adopted in 2016 and became enforceable from 2018, we’ve had the DPA 2018 (Data Protection Act 2018) and Brexit in the UK; and
- More than 20 articles have been withdrawn from the EU GDPR to make the UK GDPR, and the DPA 2018 has been amended to be read in conjunction with the UK GDPR.
How sure are you that your organisation is fully compliant with the relevant data protection legislation? Would the fines and reputational damage incurred from breaches of the GDPR be commercially damaging?
Once compliant does not mean still compliant
If you are anything less than 100% sure, there is a fair chance that someone, somewhere, has assumed that nothing has changed internally or within the law.
Just because you sought expert opinion on the matter a few years ago doesn’t mean you’re in the clear. ‘Once compliant’ doesn’t mean ‘still compliant’.
It’s possible that you now need to appoint a DPO (data protection officer) or data privacy lead to be the single point of contact for questions, concerns, breaches, impact assessments or communication with the regulatory authorities.
Privacy is international
It’s not just the EU GDPR, the UK GDPR and the DPA 2018 that we may need to ensure compliance with. Privacy laws exist in almost every country and are relevant wherever you do business.
You can design your data privacy systems such that they meet all these legal requirements.
Having one or more of the following can significantly help with this:
- An ISO 27001 ISMS (information security management system).
- An ISO 27701 PIMS (privacy information management system).
- The guidance in ISO 29151, which specifies controls that help protect personal data.
But compliance requires clarity. The same goes for implementing any of the above.
If you don’t understand the topics in detail, you risk conflating one system, standard or set of regulations with another, causing you to lose out on multiple fronts.
Data residency, data sovereignty, and the roles of data controllers and processors can be complex in our business ecosystem, so it’s vital that someone on side – such as a DPO or privacy lead – can clearly distinguish one regulation from another to unpick any problems.
But the value of having someone trained in data protection and privacy really comes to light when an audit comes around or a data breach occurs.
A DPO isn’t just a trusted adviser during business-as-usual times. They are at the command centre of a cross-functional team in tough times. Faced with an incident or a breach, a well-trained DPO can avert a crisis before social media can cause a catastrophe.
Well-versed data privacy leads and DPOs can leap into action when needed, swiftly addressing and remediating issues, reporting to the necessary authorities and instigating lasting change. As part of this, they’ll have worked diligently to ensure they have the backing of senior management to step in and effect change when it is needed.
Quality DPO training educates and prepares the person for the role.
Knowledge, skills and competencies
Experience will stand a DPO in good stead, but it’s no substitute for competencies.
Apart from having a good grasp of the relevant regulations and excellent fact-checking abilities, a DPO will need to handle people and follow processes well.
As the DPO or privacy lead, you’ll be the go-to person, the ‘safe pair of hands’, the trusted adviser and the mediator. You’re not just going to be following procedures with care and caution; you’ll have a wide range of stakeholders to deal with.
Effective DPO training covers the ‘how to’ part of the role as well as the ‘what and when’.
At IT Governance, we give guidance on what it means to be responsible and accountable in a DPO or data privacy leadership role. That’s what makes the difference between someone who has been handed a task and a person who is up to the job.
And remember: how a person performs in their role ultimately determines their prospects and the commercial wellbeing of their organisation.
Free webinar: Building Your Career as a DPO and Privacy Lead
In December 2023, Andrew hosted 45-minute webinar in which he:
- Set out the critical steps to advance a career in data protection and privacy leadership;
- Mapped a data protection career path, and the skills and qualifications needed for success in this pivotal role; and
- Explained about our specialised training model for DPOs and privacy leads, and how IT Governance can empower your data protection career.