In May 2019, on the first anniversary of the GDPR, the DPO Centre held a series of presentations at seminars and events about how the DPO role was evolving. A year later, the Data Protection Officer was ranked as the second highest emerging job in LinkedIn’s 2020 Emerging Jobs report – a real reflection on the increased importance placed on privacy and data protection by leading organisations.
So we thought now would be a good time, almost 2 years on from May 25th 2018, to return for another look and see what’s changed. We’ve done this through the eyes of Alison Jones – our ‘model’ DPO. We suspect Alison’s journey bears more than a passing resemblance to the evolution of the role experienced by many other DPOs and privacy professionals.
Meet Alison Jones – Early in her privacy career
3 years ago, Alison worked with the compliance team. She’d left university with a good law degree and had managed several projects, some of them IT based.
With the upcoming introduction of the GDPR, her manager asked her if she could find out more about what was involved and how it would impact her organisation. What did they need do to?
She soon realised she needed to become a GDPR subject matter expert (SME) and enrolled on a Certified Information Privacy Professional Europe (CIPP/E) training course.
Understanding the GDPR – Alison the Translator
Very quickly Alison was seen as the GDPR specialist. Her first job was to translate the regulation into words the rest of the company could understand. She interpreted the legalese and explained in practice what her business should do to comply.
She did this for every department handling personal dataInformation which relates to an identified or identifiable natural person. – whether it was human resources, finance, sales and marketing, operations or IT and tried to cut through the GDPR hype appearing in the press.
Of course she didn’t fully understand how each different department used personal data or the processes and procedures they used, so she needed to learn how things actually worked in her company and then identify how the GDPR should be applied.
Enforcing the GDPR – Police Officer Alison
Alison quickly realised there were potential issues across the business. Like many organisations, the company often treated personal data as its own. Several well-established processes were clearly not compliant. Alison was often seen to be, “getting in the way of things”.
Sometimes she felt like a broken record and was frequently heard to utter phrases like “we can’t keep this data anymore”, “we need a lawful basis for that”, “we need to put an appropriate policy in place”.
Ultimately her main task was to make sure the organisation wasn’t exposed to unnecessary risk, particularly given the greater powers of the ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. and the new potential of significantly increased financial penalties.
Alison needed persistence, a sense of humour and thick skin. Whilst she always tried to explain her thinking and provide constructive solutions, some senior managers and staff were very resistant to change.
Making things happen – Alison the Change Agent
Gradually, persistence began to pay off. With support from an increasing number of the senior management teamA collective group of senior managers responsible for key areas within an organisation, e.g. Finance, HR, Compliance, IT, Legal, Operations etc., and aided by some well publicised actions by the ICO (notably British Airways, Marriott and Cambridge Analytica) Alison began to make people realise the importance of changing to comply with the GDPR.
To be effective, Alison had to combine her technical legal skills with an understanding of the commercial needs of the organisation and the market it operates in. Much of her time was taken training and raising awareness with staff about their new responsibilities and how and why they needed to do things differently. When trying to change business processes that didn’t comply, she found she was trying to apply influence with limited authority – something that’s never easy. She had to develop her soft skills as well as her technical ones and became a great communicator and diplomat. However, when push came to shove, she was never shy to wield the ‘big stick’ of the law and potential penalties to assist with her persuasion!
Moving centre stage – Alison the Strategist
Looking back over the last 3 years, Alison’s DPO role has changed dramatically. Having started off with the simple task of being asked to find out more about the GDPR before it came into force, she’s had to be a translator, an enforcer and then help facilitate and influence huge amounts of change across all areas of the business.
She’s written policies, put processes and procedures in place to monitor data protection compliance and mitigate risks. She’s helped map personal data across the organisation, she ensures Records of Processing Activities (RoPA) are in place, that DSARs are answered and that individuals can exercise their rights under data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data.. She’s trained employees about their responsibilities and worked with third parties to put data processing and sharing agreements in place to make sure appropriate safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... have been implemented.
As more and more personal data is processed digitally and migrated to the cloud, the lines between data protection and information security are becoming increasingly blurred, so now she’s working more closely with the IT and cyber security team.
She’s answering directly to senior management and her opinion is sought when designing and implementing new business systems and processes. Increasingly she’s moving centre stage and involved in higher level strategic discussions.
Looking to the future
Given all she’s accomplished in the last three years, the variety of tasks she’s undertaken and the skills she’s developed, Alison’s role has definitely moved on, so it’s no surprise the DPO is the second fastest emerging role in the LinkedIn survey
So what of the future?
As data, particularly personal data, becomes an evermore important part of business, it’s likely Alison’s role will become even more influential and complex. New legislation appearing globally is making the depth and breadth of knowledge required even greater.
New technology – Artificial IntelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc., AdTechAdvertising Technology: The use of digital tools and analytics for the delivery of advertising., FinTechThe development and use of software and technologies to provide automation and deliver improvements to the financial services industry., MedTech and the Internet of ThingsThe concept of connecting everyday devices to the internet and to each other for the purposes of collecting, receiving and sending data about their use. (IoT) all rely heavily on the processing of personal data. In fact, the LinkedIn survey’s highest emerging role was Artificial Intelligence specialist. The privacy and data protection implications of these technologies are only just beginning to be recognised, understood and evaluated.
The Data Protection Officer’s role is broadening to such an extent that Alison sometimes feels she will have to be a superhero to fulfil it.
At the DPO Centre we recognise the broad range of skills and experience that DPOs need. By working with over 400 clients, our DPO team has developed expertise and experience in a whole range of sectors whether it’s understanding the privacy issues around adopting new technology, ensuring marketing campaigns are compliant, protecting sensitive patient and student data or managing employee records.
We’ve lived Alison’s journey and, by being part of a team, and sharing our knowledge within that team, we are able to give exceptional service, breadth of knowledge and ongoing support to all our clients.
Through our work with over 400 organisations, The DPO Centre’s team of experienced DPOs can provide the necessary advice, guidance and model documentation required to ensure timely, appropriate support with data protection compliance. For further information on how we can assist your organisation, please contact us.
Fill in your details below and we’ll get back to you as soon as possible