It’s time to champion your DPO

Opinion by Jan van Vliet

DPO roles are increasingly influential & complex, working closely with IT & cybersecurity; if under-funded enterprise compliance is at risk as data protection resources are stretched to breaking point.

Right now, data protection officers (DPOs) have a lot on their plate. The impact of Covid-19 has seen them battling to maintain GDPR compliance obligations as enterprises adapt and respond to lockdown measures by furloughing employees or asking them to work remotely – and rapidly deploying new systems and operational processes. Added to which, with cybercriminals looking to take advantage of the pandemic, the task of securing data in the face of an escalating threat landscape has never been more challenging.

Responsible for overseeing the organisation’s data protection strategy, the role of the DPO is a complex one that is evolving fast as new technologies – like AI, IoT, FinTech and MedTech – go mainstream. In addition, stricter privacy regulations being introduced by jurisdictions around the globe are adding to the data protection burden for international businesses.

However, DPOs are struggling with a depleting budget and diminishing resources. According to a recent survey, more than a quarter of data protection and privacy officers say the biggest challenge they face is budgetary restrictions and a lack of resources. The research also highlights how the amount spent on data protection often translates to less than five percent of an organisation’s typical governance, risk, and compliance budget.

Clearly, businesses need to be careful they don't leave their DPOs under-funded and put enterprise compliance at risk as a result of data protection resources being stretched to breaking point.

The rise of the DPO

When GDPR came into force, it required the mandatory appointment of a DPO by any organisation that collects, processes, or stores the personal data of EU citizens. Responsible for educating the company and its employees about compliance, training staff involved in the processing of data, and conducting regular security audits, the DPO also acts as the primary point of contact between the company and any supervisory authority that oversees activities relating to data.

In the run up to GDPR, DPOs were primarily focused on implementing the systems and processes needed to achieve compliance. That included establishing a centralised governance model that encompassed the entire organisation – from the boardroom to IT and security. After which, attention turned to monitoring and progressing governance across the organisation.

Since then, the role has continued to evolve. As a champion of data privacy, the DPO leverages key relationships with members of the senior management team to ensure that all enterprise systems and processes are appropriately designed and operated with privacy in mind.

As more and more organisations embark on digital transformation journeys, DPOs are having to work more closely with IT and cybersecurity teams, as the lines between data security and information security become increasingly blurred. In the coming years, the role of the DPO is only set to become even more influential and complex.

Confronting a sea of challenges

Despite a growing regulatory focus on data privacy, and the seamlessly endless stream of media stories on high profile data breaches, DPOs appear to be struggling to get the appropriate resources and budget they need. But that is not the only challenge on the horizon. DPOs report their second biggest concern is working with other business units to integrate data protection measures and getting everyone across the enterprise on the same page.

Worse still, many are battling to get the manpower needed to improve performance and security across their organisation; 76 percent work in organisations with less than 10 roles focused on data protection and privacy.

The impact of the recent coronavirus crisis may, however, prove a tipping point for many organisations. Forced to address a fast-moving operational environment has helped to highlight the importance of data protection and the pivotal role of the DPO in mitigating risk.

Going forward, organisations will need to rethink how they address their compliance obligations while staying focused on the practical and commercial needs of the business. Keeping pace with an evolving regulatory landscape, and fast shifting operational and workforce models is just the tip of the iceberg.

Alongside upskilling DPOs, and appropriately resourcing their evolving portfolio data protection activities, the pressure is on to get creative – and get the message out.

Building a ‘privacy–aware’ culture

Organisations that nurture an enterprise-wide awareness of data protection issues will be better equipped to leverage compliance to their advantage. As data privacy processes and structures mature, initiating one roadmap for a common journey will help ensure that everyone across the business is on the same page – and reporting structures are streamlined.

While regulations such as GDPR can seem highly technical, informing and training people within the business is key, using simple language to communicate the key requirements and signposts to who people should turn to for further help and advice.

Combining this with security awareness training will help give employees a comprehensive oversight of the risks that organisations face in today’s increasingly digital world. From how to stop phishing attacks to best practices for data management and protection, the goal is to create a mindset that reduces the risk of data breaches – and embed appropriate collective behaviours across the business. Because, once employees can connect data privacy risks to their own roles – and their private lives – then compliance becomes part and parcel of the organisational culture.

For example, since data subject access requests (SARs) can be received at multiple points within an organisation, everyone needs to be aware of the importance of managing these efficiently to avoid liability. Giving people the right training and the systems they will need to identify, monitor, progress and report SARs efficiently will ensure nothing drops through the net.

The job of the DPO is to ensure the organisation continues to meet its data privacy and data protection obligations – whatever the operational challenge. Staying compliant depends on supporting DPOs to execute their myriad responsibilities – including raising awareness of data protection obligations and building a privacy-aware culture that keeps the organisation and its people safer.

Contributed by Jan van Vliet, VP EMEA at Digital Guardian.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews