How to stay up to date as a DPO

TL;DR: DPOs are busy and must carefully choose and filter their information sources. After deep-diving into GDPR news across the EEA for years, here are my key tips on how to stay up to date as a DPO.

How to stay up to date (without losing your mind)

?? Before diving in, grab a pen and paper to jot down your thoughts and responses as you read through this, so that you can create a summary and step-by-step process for yourself after.

Step 1: Filter! What's crucial to *you*?

Start by asking yourself this question: What is crucial for me to know, to be able to do my job sufficiently?

Your keyword here is FILTER.

In addition to the obvious, the GDPR (and what I mention below -what I think every DPO must know), is it LED, the Marketing Act, Clinical Trials Regulation, PSD2, Public Administration Act?

?? Start by writing down your initial thoughts first. Then read the rest of the article and add whatever comes to mind along the way.

When you're done, go back to your list and rank the legislation you've noted down from most to least important. This is your guidance onwards.

Step 2: Determining key news sources

Now, with a clear overview of the legislation most relevant to your DPO role, the next step is to list your most important sources of news.

As a starting point, you can glance through the list in the section below. At a minimum, this includes relevant CJEU rulings interpreting key GDPR definitions and provisions (since these apply to us all, like Schrems II).

However, not all GDPR updates under the sun will be relevant to you.

Again, look at your role and where you work. If you're in education, you'd want to pay particular attention to any news from this sector - which isn't necessarily only schools.

Maybe it's in a municipality, which also means the public sector, with all the various laws applicable then. And if you're based in ????, the Helsing?rgate/Chromebook case is a given.

For DPOs in ????, a generally relevant case is the Legelisten one on legitimate interest, that went all the way to the Supreme Court. Or, if you're in ???? healthcare, the MedHelp case.

DPOs in ???? better pay attention to their DPA's DPO audit campaign of 25 organisations in both the public and private sector (which still has key takeaways for all DPOs on what to do and what not to do).

And, if you're a DPO in the ???? banking sector, the €700,000 fine for misusing (terribly poor) emotional AI to analyse people calling you (the one that inspired our very first Grumpy GDPR episode!, or in ????, the Danske Bank one for insufficient deletion practices.

Or this juicy combination: DPO-related fine in the ???? banking sector! (Or, if you're based in ????, the one where a court annulled a €5 million fine to Banco Bilbao.)

Ooops, sorry! I get so carried away and can't help myself! The point of this article was to help you manage overwhelm, not add to it...

?? Your key takeaway is: Focus first and foremost on court rulings and DPA decisions from "your" country and only those if you're pressed on time.

Your list now could include for example:

• The CJEU
• Your national DPA (and courts)
• The EDPB

These should only include credible, official sources.

Step 3: Determining news channels

But having the sources is one thing, getting updates another. Which is why the third step is to ensure you find the news (or they find you).

?? If your national DPA has a newsletter (which they should), you should at least subscribe to this. They usually also share news on relevant CJEU rulings and EDPB updates. Hopefully, they also have an RSS feed on their website.

Which brings me to another key recommendation: get an RSS reader (send me a message if you'd like tips on specific tools).

? But first a word of caution: don't fall for the temptation to connect every DPA website, the CJEU, the EDPB and all other GDPR news sources to this.

You're already busy and having access to all the information in one place isn't a silver bullet for keeping up to date.

Because you need time to read the updates!

So, for now, only subscribe to the most important RSS feeds.

The same goes for any newsletter subscription. Check your inbox. How many of these do you actually read? If you haven't read any of them for the past three months, then unsubscribe.

Finally, we're on one of those platforms that many DPOs rely on for updates: LinkedIn.

It can be an amazing place to pick up ?? breaking news and the hottest trends. Just don't forget, in your busy-ness, to be critical of what you read, from whom.

There are many "experts" here, eager to share their latest thoughts and be the first to break the latest CJEU ruling or DPA decision.

Unfortunately, this sometimes leads to a too-quick reading of that ruling or decision, missing crucial nuances or pieces of information.

So, while LinkedIn is great for catching trends and networking with fellow DPOs, always ensure you independently verify any news you plan to use professionally.

Lastly, numerous channels exist for staying informed, including podcasts, memberships, conferences, DPO associations, and educational workshops.

However, if you feel overwhelmed, critically assess where your attention goes. Prioritise content that offers tangible value, eliminating any sources that just add to the noise. Remember, you can always resubscribe later.

Step 4: Keep it going

Now you have an overview of your most relevant legislation, your key news sources and main channels.

Next is the hardest part: keeping up to date on a regular basis.

?? And this next recommendation might seem absurd, but hear me out. I want you to create a recurring task in your calendar. Not in your project management system - in your calendar.

Set aside 30-45 minutes at least once a week, where your only task is to skim through news items. And while you do this, save the most interesting ones. If you have an RSS reader, you can tag, star or shortlist such items.

Don't fall for the temptation to dive deep into any news, unless it's a breaking news that's highly relevant.

Because you'll need to add another recurring calendar item for that: the deep-dives.

?? Tell me, how often do you actually read the full DPA decision, or CJEU ruling? How many times have you started on one, only to be disturbed by a breach or something others' deem 'very urgent'? And how often did you never return to that reading?

And this is why you must add it to your calendar, and not as a task that'll just get pushed down the list.

This is hard.

You'll add it in, but something happens and you mark it complete, hoping to have time for the next one. That's a choice you make.

We're tasked to keep up to date, it's an actual legal requirement. So we just have to make it work. And the best solution I've found, is to add non-negotiable time to my calendar.

?? But, if you're constantly in fire-fighting mode, there's something wrong with your job.

Then you either don't have enough time and resources, or you work inefficiently and unstructured. If the first is true, you must talk to management and find a solution. If the second is (also) true, you must take an honest and critical look at how you spend your days.

PS: If you're really, really struggling with this, get an accountability partner, a fellow DPO. You can have (bi-)weekly (e-)coffee where you switch on who's presenting the latests interesting news.

What every DPO must or should know

Now to the final part of this article, what you, as a DPO, must or should know.

Let's start with the very minimum, every DPO must know:

• The legal text of the GDPR, including the preamble (recitals)
• How the GDPR is implemented in your national legislation (in ????, for example, we have Personopplysningsloven)
• Key CJEU rulings interpreting key GDPR definitions and provisions, dating back to Google Spain, Breyer, Lindqvist and more
• Relevant national legislation, including ePrivacy, but could also be provisions from your Constitution, for example
• Relevant national court rulings
• Relevant national DPA decisions and guidelines
• Key EDPB documents
• Certain WP29 documents still often referred to

I'm tempted to add EDPB Art. 65 decisions in the mix but I suspect not a whole lot of DPOs actually read these massive documents. ??

There are many more sources that you should at least be aware of as a DPO, like relevant EU and international laws, treaties and agreements (TFEU, ECHR, OECD Guidelines, UDHR, CFR, Convention 108 etc.).

(This is particularly challenging for External DPOs, who might act as DPOs for a range of clients of different sizes, in both the public and private sector, in various industries and maybe even across several countries.)

Again, what's crucial, is that you determine what's relevant to you.

The wrap-up

The most important activity you can do, is to sit down and actually read updates, focused. And that has much to do with habit.

You can start using all the tools in the world, but they won't help you (and can even result in getting less done), if you don't have a structure on how you use them.

You can set up your RSS feeds from the EDPB, the CJEU, five DPAs and a bunch of various publishers, which (likely) results in 300 new items a day and you won't be able to keep up.

Just accept that you won't be able to stay on top of it all.

You won't have time to read every single news piece, decision, newsletter, LinkedIn post or even brief summaries. Let alone have time for deep-dives.

And it's better than you spend time on properly reading one crucial piece for your organisation, rather than the 20 latest items on a "daily dashboard" of a subscription service.

PS: This is already a long read, so I took out my secions on useful tools and how to leverage them (yes, including AI), the daily practice and more. Let me know if I should write a follow-up and, if so, what you'd love more input on (like how to actually prioritise, work efficiently, manage time etc.).

You can do this

Lastly, as we continue to navigate the fast-changing regulatory landscape, remember that your role as a DPO is not just a job; it's a journey of continuous learning and adaptation.

That journey might seem daunting, but if you're anything like me, you still love it! Our dedication to staying informed is what empowers us to protect not only our organisations, but also the individuals whose data we help safeguard.

Appreciate the progress you do, no matter how small it may seem. And keep in mind that the work you do matters immensely.

Thanks for reading all the way to the end! If you like this, share it with your DPO friend. ??