A Day in a DPO's life

So, the company has done its GDPR Compliance Project having identified non-conformity points and having implemented required mitigation actions plus having trained "relevant" staff members under GDPR "basics"... we are now compliant and the DPO may start his/ her compliance assurance role in the company... what would a work day look like?

09:00 a.m. - just got to the office and powered up my laptop... checking emails for "urgent" messages that I may have "overlooked" on my Smartphone and checking in detail (on the bigger screen) the ones I have read ...

09:15 a.m. - Prioritizing open "issues"

09:30 a.m. - Checking "pre-scheduled" topics... Today we start the Regular (annual) Audit to the Marketing Department, assessing if they are observing GDPR related established Processes... kick off meeting at 10:00 a.m. ... not too much time left, yet... still need to schedule a meeting with the CIO for they have informed me that they will be making some changes to the Active Directory, which means different user authentication... also on our customer facing web services... let me take care of that and send an invite for tomorrow to start auditing that change under GDPR scope.

10:00 a.m. Marketing Department annual Audit meeting.

11:00 a.m. Coffee Break ( after all, only human right? :) )... nice chat with Customer Service, it seems they will be changing their CRM in about 6 months... well there goes another Audit... need to speak to the Project Manager from IT and schedule it...

11:30 a.m. The result from the initial Marketing Department Audit meeting... Checking GDPR Compliance documentation and generating a new version which reflects the required audit points addressing a change to be implemented on their "reach out" Process (under Article 14)... they want to user a 3rd party service (as a Processor) to easy their workload and speed up "reach"... need to check those guys out... let me schedule it for tomorrow in the afternoon...

12:00 Lunch

1:00 p.m. Checking Data Subject's interactions, starting with open points... there is one DSAR to be answered with a ticked halted at the Training Department for over a week, let me call and ask why is it so hard for them to list the Personal Data they have on their local department tools... still have 5 departments to go and not that much time to forward the answer to the Data Subject.

1:30 p.m. New stuff... one Data Subject submitted a Complaint towards about our Logistics Partner, it seems they keep getting his name and invoice data wrong... need to speak with our Logistics Department so they may sort this out with the Logistics Partner.

2:00 p.m. Quick overview about open tickets... besides the DSAR halted at the Training Department, there is one Coaching request from Sales and Data Processing Agreement that needs to be reviewed pertaining one change in service scope from one of our Processors'... better get on to it...

3:00 p.m. Now, training requirements... over the last month we have on-board 7 new staff members who will be "handling" Personal Data as part of their operational tasks... these guys need to be trained under GDPR and do the "test" so I have documented proof that they "got the picture"... when would it be a good timing for the Training Department to do that? Let me check ...

4:00 p.m. So, now that I have some quiet time, let me reach out to "Legal" to get their feedback on the pending issues regarding some contracts with Partner's of ours'...

5:00 p.m. amazing... another day has gone by... so much to do still ... it never ends ...

So, if you think the DPO will be just laying around waiting for some "buzzer" to wake him/ her up... not really.

The DPO daily routine will comprehend some of the topics below:

• Perform Regular Audit
• Schedule and perform "emergency Audits" when incidents or changes to so require
• Interface with both the Data Subject and Supervisory Authorities, while bridging if and when required both with Internal Departments, Partners and support roles (e.g. Legal; HR; CISO; Training; other...)
• Assure "coaching to the organization... and maybe some partners as well ...
• Ensure Training to staff members where relevant
• Maintain relevant compliance documentation up to date
• Prepare and submit relevant reports (internal and external)
• Review Contracts where relevant
• Assess new service changes and inherent processes and support tools under Personal Data Protection scope.