A risk based approach to the DPO role
by Mandy Webster (comments: 0)
Managing risk and conflict of interest
A risk-based approach to data protection compliance is required under GDPR. Article 39(2) says that the DPO should “have due regard to the risk associated with the processing operations, taking into account the nature, scope, context and purposes of processing”.
The Article 29 Working Party (advisory body to the EC on data protection) says in its guidance on the DPO role that Article 39(2) “recalls a general and common sense principle, which may be relevant for many aspects of a DPO’s day-to-day work. In essence, it requires DPOs to prioritise their activities and focus their efforts on issues that present higher data protection risks. This does not mean that they should neglect monitoring compliance of data processing operations that have comparatively lower level of risks, but it does indicate that they should focus, primarily, on the higher-risk areas.”
This confirms a useful principle for DPOs and should inform audit planning, time management etc. Remembering that risk relates to the likelihood and severity of harm based on the type and amount of personal data processed and other circumstances such as whether the personal data is being transferred to third countries which offer a lower standard of data protection than that applying in the EU.
WP29 goes on to say: “This selective and pragmatic approach should help DPOs advise the controller what methodology to use when carrying out a DPIA, which areas should be subject to an internal or external data protection audit, which internal training activities to provide to staff or management responsible for data processing activities, and which processing operations to devote more of his or her time and resources to.”
What methodology to use when carrying out a DPIA
There can be significant differences in the scale of a Data Protection Impact Assessment. Some may be carried out by in-house data protection practitioners initially with other interested colleagues having input over time. Some may require external, specialist assistance, yet others may involve a very wide group of “stakeholders”, for example in the NHS or public sector. The risk inherent in the data processing under review should inform the resources needed to conduct the DPIA and the frequency of follow up reviews.
Deciding which areas should be subject to internal or external audit
There is an obvious input for risk management into deciding where external data protection audit is required. There is another aspect too around conflict of interest where a DPO has undertaken work on behalf of the business rather than maintaining his or her independence so that they can check the work. For example where the DPO has drafted documents, procedures, or given training, it is difficult for him or her to then audit the outcome of that intervention with an independent, arm’s-length view. A conflict of interest arises also in connection with other (non data protection) responsibilities of the DPO. The DPO will not be able to audit his or her own department and an external auditor will be required.
It can be difficult to keep sufficiently up to date with changes of interpretation of data protection law in sectors such as HR for example. This might be another area where the DPO would welcome input from an external auditor.
We offer a DPO support package as a good solution for designated Data Protection Officers managing the role on a tight budget. It comprises a package of suggested audit checks, training and reporting templates and advice based on our 18+ years' experience in data protection compliance.
The support package is a set of tasks and actions including:
- Suggested annual compliance programme
- Audit checks on the integrity of the DPO role, how it is resourced, set up etc
- Audit checks on the compliance of the organisation
- Suggested reporting frequency (board, and SMT) and content
- Checks on the adequacy of staff training
The annual compliance programme can be tailored to take account of peaks and troughs in other work. The package is easily customised by adding in new tasks, altering the frequency, the person designated to carry out the task etc. We have made standard recommendations as to the frequency for carrying out the checks. Over time you will be able to refine the frequency of checks based on your audit findings and the risk specific to your organisation’s data processing activity.