DPO on a Shoestring Budget
by Mandy Webster (comments: 0)
Not all businesses employ a full time Data Protection Officer so, often it forms part of the job of a manager to act as DPO or Data Protection Manager, the contact for issues and queries relating to data protection.
The role of Data Protection Officer is a statutory role and there are formal obligations and duties to carry out. Even where the role is advisory rather than mandatory it is good practice to undertake checks on data protection compliance. Where certain processing activity requires the designation of a DPO, his or her compliance activities are not restricted to the higher risk processing activity but should encompass all the data processing activity undertaken by the organisation.
The principle of Accountability set out in GDPR mandates that the organisation should be managing risk in relation to personal data processing and this sets the concept of risk management for data protection compliance issues.
Not all organisations can afford to fund a full-time DPO or advisory role and there will always be some budget restrictions in the best resourced businesses. Here are some tips to help make best use of resources to maximise GDPR compliance on a low budget.
Plan your year ahead. Pick up the higher risk areas as focal points, prioritise new projects (undertaking Data Protection Impact Assessments) and schedule what time you have available to target risk hotspots. Ensure senior management understand the approach, approve the work plan and receive progress reports. If asked to deviate from the plan, ask what additional resource will be available. Not all the checks you need to make require DPO training, in fact you need the views of all levels of staff to gauge whether training material is being accessed and absorbed.
Ensure you always have a store of lower level checks (objective, process and how to record results) to present if suddenly offered an afternoon of someone's time! Talk to HR about recruitment, are there gaps in the induction schedule that offer time you can use? Is anyone at a loose end due to reorganisation of departments etc in the short term? Can operational departments be persuaded to provide secondees from time to time to get an in-depth understanding of data protection as well as provide valuable resource to the DPO?
Find out what internal and external audits are planned during the year. Get an input to their scoping, speak directly to the people who will carry out the audit and build in some checks that will be useful to you as DPO. TP provider checks should include security measures and contractor staff training for operational purposes, for example, Health & Safety audits can be amended to include checks on CCTV. Remember the business should carry out the checks, you should be checking the checkers.
Make sure you see audit reports, read them and follow up issues relevant to, or which have an impact in relation to, data protection and information security.
Be creative and identify pockets where there might be "free" resource you can tap into! For example when senior managers are on holiday can you have a day or two of the time of their PA to check where training material is, that it is accessible, up to date and comprehensible, get their feedback. Are there any apprentices that you can ask about the company's DP awareness training, get some feedback and then test their knowledge again after say two months, then six months? This might evidence that annual training is too infrequent/frequent or that, because of other ongoing informal training, or the training material needs to be refreshed.
Find out about free seminars, join discussion groups. Try to tap into what other DPOs are doing and what their experience is. Subject to NDAs you might be able to arrange a day on site with another DPO and invite them back to see your set up. After all, peer group review will be one of the strongest tools.
Many sectors have sectoral discussion or interest groups. Find out what is available to you and don't be hidebound by labels, company secretaries, compliance officers, governance professionals all have the same goals in the end. Ask to be taken as a guest to sector specific meetings when data protection is on the agenda.
Subscribe to all the big conference organisers and go along to relevant ones, if not as a delegate, then as a visitor to the ubiquitous exhibition and talk to the exhibitors. Find out what is new, what current trends and concerns are, ask technical questions to get information for free. Exhibitors love talking to people, the exhibitors’ nightmare is a conference where no one speaks to them, not the one where someone picked their brains a bit!
There are a lot of free training materials available online and webinars that you can access for free. Rather than searching for help with the DPO role in general, try focusing on individual topics such as “social media compliance” or “website compliance”. Read articles published on legal websites.
Conflicts of interest are never easy to manage and it is hard to stick to the line that your role is to check rather than to undertake the work in the first place. However if you give in and write wordings for clauses, privacy notices etc not only are you agreeing to extra demands on your time but your independence will have been compromised and you will not be able to carry out a proper independent check of your own work Offer a solution, suggest googling the wording required, suggest key phrases colleagues might use. Ask for assurance that their department will pay for any external review of wording you draft. In the end a compromise may be required after all you have the skill set to draft wordings as a result of checking them but make a note and consider how best to remedy the lack of independent oversight in that circumstance. Possibly do a trade for a half day of lower level checks and take the argued over wording to the next free conference for independent input.
DPO Support Package
We are launching a DPO Training and Support Package shortly. Register your interest by email to email@example.com