When the European Union voted in the upcoming General Data Protection Regulation, they knew companies would need a lot of help ensuring they are meeting and continually following the regulation. To support companies, the EU Commission created a new role – the Data Protection Officer – DPO. It’s a brand new position with a lot of responsibilities and while not mandatory for every company, it’s role that can help your company effectively identify and coordinate the actions to be carried out with regard to the protection of personal data.
Because the role is new, we thought it would be helpful to provide a list of best practices every DPO should consider to help them succeed in their position.
1. Get Training
Nobody is born a DPO, and anyone entering this role will require training. Look for some quick training – a few days – to get a solid understanding of the basics of this role. Here’s one from Thomson Reuters. Longer term training, even diplomas exist that you could take as well. Check out this site ITGovernanceUSA.com You can also complete self-training through MOOCs or books. The key is to find the answers to your questions to help you get up and running in your position as quickly as possible.
2. Actively Monitor the Industry
A good DPO stays up to date on news related to his industry as well as the privacy industry in general. Organize alerts and notifications (legal, technical, sector, societal …) on topics related to personal data. Use social networks like Twitter and LinkedIn, set up Google Alerts and syndication tools like Feedly. Subscribe to privacy newsletters and GDPR supervisory authorities.
3. Build Your Network
You won’t be the only DPO in your sector. Look for opportunities to build your network. Exchange information on best practices and discuss technical and legal points. Social media sites like LinkedIn will be useful, particularly with Groups set up on this topic and key experts to follow, but they should be complemented by in person meetings: work groups, workshops, meetings, partnerships and conferences.
4. Identify Tools at Your Disposal
In France, the CNIL supervisory authority supports the rollout of the GDPR. It provides a set of practical tools to help you settle in as a DPO, such as a data registry template, step-by-step guides, fact sheets, and more. You can check these tools and look for similar ones from other supervisory authorities, including the EU Commission. Since the DPO is a new profession expect to see new technologies comes out that can help you perform your job efficiently. Note: Everteam provides a file analytics tool that will help you perform a content inventory.
5. Meet Affected Departments and Teams
As we pointed out, as DPO you must be fully integrated into the operations of your company. You should be involved in the development of new products, services and marketing strategies. It is then vital to meet regularly with the people you will be working with.
- Consult the org chart to determine who to meet.
- Get in touch with each operational manager to identify if/how they process personal data.
- Schedule appointments with each professional involved in your new activity. Beyond a presentation and a first meeting, this will allow you to start to set up your future collaboration.
6. Conduct an Audit
This must be one of your first actions as a DPO. Conducting an audit will allow you to identify all the processing of personal data in progress in your company. You will also learn what information is collected: names, phone numbers, addresses, emails, purchase history, and so on. Once you have this information, you can start to create your action plan and evaluate the level of compliance of your organization.
7. Immerse Yourself in the GDPR
The GDPR in its entirety is 99 articles and more than 170 recitals. That is more than 60 pages of legislative texts, sometimes obscure. It’s certainly not bedtime reading, but you have to read and understand it all. It likely includes features specific to your industry, allowing or prohibiting certain data processing, or imposing certain restrictions and requirements on authorization and processing. As DPO, you should understand the regulation inside out, or know where to look for the information you need.
8. Communicate Internally
The DPO is the conductor of the application of the GDPR within a company. Make sure you have the means (finances, human, technical and operational) to communicate internally on the issue of data protection. The more your colleagues understand what’s required, the less corrective actions, you will have to put in place in the long term. For example, send out a bimonthly newsletter, to explain your function and decisions.
Want to learn more about the GDPR and tools to help you get your job done? Register for our April 26th webinar: How to Get Ready for GDPR with a Data Inventory.