The role of the Data Protection Officer (DPO): From Blocker to Builder
Clare Paterson
Data Protection Strategist & Campaigner | Social Housing Data Specialist | Author of 'A Practical Guide to Data Protection in Social Housing' | Speaker | Founder of the DiSH Network | #StartWithPurpose #BlockerToBuilder
(FREE download available at the end of the article.) Data protection law is often viewed as a necessary evil, and a lot of ‘red tape’. But this doesn’t mean that data protection officers (DPOs) and other professionals in the field of data protection should be seen in the same light. Instead, Luke Beckley and Clare Paterson believe, as they presented at the Privacy Space event in November 2022, that it’s time to recognise the immense value that professionals in the data protection field can, and do, bring to a business, and go from blocker to builder:
(Don’t miss the?free download?at the end of the article.)
“We’ve seen first-hand the frustrations and fears of DPOs who feel they are fighting against the organisations they work for. Add to this the changing landscape of the legislation and the possibility this may lead to (more businesses!) seeing the DPO as unnecessary.
There is also a growing emphasis on ESG (Environment, Social and Governance) in most sectors though, and new initiatives in the name of ESG and EDI (Equality, Diversity and Inclusion) often involve the collection and use of data, which gives DPOs an opportunity to widen their remit and add value.
Why are DPOs seen as blockers?
Let’s be honest, data protection law, as it currently stands is not sexy. It’s seen as reams of complicated regulation talking about what you?cannot?do with data.
Data Protection doesn’t talk about revenue generation, it doesn’t talk about ‘tangible’ (i.e. monetary) benefit to the organisation and it doesn’t talk about driving the strategic goals of the organisation.
We often hear colleagues saying things like “I work in Finance, so Data Protection doesn’t affect my job.”
But as we know, Data Protection relates to?everyone?and will have at least some impact on every department, even Finance. For example, the headcount budgeting process uses names and profiling based on cost, benefits, and may include personal opinions. Payments made and received include names and sometimes personal bank details.
In organisations where there’s a Data Protection team and a Data Analytics Team, budgets are more likely to be cut in our area (Data Protection) under the current thinking and interpretation than in the Data Analytics teams.
That’s because Data Analytics is seen as supporting and driving the business, and Data Protection is seen as stifling the business, introducing ‘red tape’, and telling them what they?can’t?do.
These misconceptions about data protection lead to the DPOs themselves being seen as blockers to the business. So people will avoid us!
Colleagues either hide from us intentionally, or they just don’t realise that they should include us in their work, and go straight past us on their merry way.
We often find ourselves facing a business that doesn’t value data protection, and we want desperately to illuminate the importance and value of data protection. But coming from that position, we risk reinforcing the misconception that data protection and DPOs are all about blocking the business.
Because it can be?really?difficult to defend a complex set of laws, especially when the name itself doesn’t do it justice: “Data Protection” sounds like it’s only about security. Non-DP folk can be forgiven for thinking that as long as they keep data secure (and the IT team is on top of that, of course) there’s nothing else to worry about.
So, our colleagues may find themselves, understandably, thinking “why does the DPO keep banging on about Purpose Limitation and Retention Periods…?”
Is it worth continuing to fight this fight, then? To keep explaining over and over that Data Protection is about so much more than security, and that it effects all areas of the business?
We believe firmly that it?is?worth continuing to fight the fight, but it’s not easy. So perhaps we need to change our approach. We believe we need to work hard on changing the reputation of DPOs from blocker to builder.
How do DPOs go from blocker to builder?
Data, including Personal Data, is one of the most valuable assets a business has. What the business wants is to understand “what’s in it for us?” They want to know how they can use the data they’re collecting, to drive revenue, profitability and enhanced market presence.
On the other hand, Data Protection professionals are trying to achieve is the fair and lawful use of data, and the protection of the rights of the individual.
As soon as we talk about ‘Personal data’ or ‘Data Protection’ then our standing in the business, in our experience, is compromised and we are operating in a different and significantly less influential capacity. We’ve alienated ourselves from the business objectives and aims, and presented a view that has only one outcome:?We’re seen as the blocker to business output, growth and financial gain.
DPO knowledge
It goes without saying, that DPOs work hard to keep up to date with the prevailing and applicable legislation. This is the key element we are employed for.
It’s assumed we know what we need to do under the various legislative acts to comply. And we?do?know these things, even if we can’t quote the laws verbatim.
(Clare: “That’s me! I cannot – and do not – quote the law off the top of my head.”)
However, there’s something else you know as a Data Protection Officer…the business, and its people.
DPOs have a wealth of knowledge and insight about the organisations they work with.
And while it can feel like we’re walking on a tightrope between the DP law and the business, remember that from up here, we have a unique, global, view.
We can see the whole picture – both the legal issues and the business issues.
So how do we put that view to best use? To bring the law and the business together?
DPO skills
Think about all the times you are called upon to put your knowledge of DP law to use in your role. Do you just quote the law, and leave it at that? A good DPO certainly doesn’t!
Here is just a selection of the skills we DPOs employ to put our legal knowledge to use:
Business Analysis:?We are skilled interviewers, and we understand complex ideas and processes. In our roles, we need to build rapport with a myriad of people throughout all levels of the organisations, so we can map out those processes and data flows.
领英推荐
With our holistic view of the organisation, and how it is actually operating, from these interviews and maps, we can help to relate those processes to the organisations’ strategic objectives.
Project Management and Change Management:?DPOs’ ability to build relationships with stakeholders is crucial in negotiating the inclusion of Data Protection into the business processes. Yes, we know it should be a given, but we know we’re all negotiating change!
Before we can do that, we work out how to relate the specific element of the prevailing data protection law to the business processes, we have to understand the business drivers and understand how those processes interact.
Audit Management:?From our work we form audit schedules and procedures that we need to carefully introduce to the business. The results of these audits then highlight additional requirements for maintaining and updating data protection throughout the organisation.
DPOs also have training and consultancy skills, can analyse data and understand its significance, are tenacious and passionate about their work, and after all that can stay calm in the face of stress!
Data Protection professionals are using these skills almost subconsciously?while?applying their DP legal knowledge.
So how do we use those skills, with that knowledge, to become seen as a builder, not a blocker?
Turn it around!
Turn the focus of your work away from your knowledge of the law, and onto the skills you have, that you use?when?implementing legal requirements.
You may have been employed for your knowledge of the law, but look at all the skills you need to utilise even?before?you can get to the point of implementing the law.
However, so many DPOs take for granted that we have those skills. Every time we’re asked “just a quick question”, we undertake interviews, define processes, and conduct risk assessments, often before we can even get to the data protection part!
Critically though, we’re only seen to be shouting about the data protection part.
We haven’t revealed nor emphasised the interviewing, business analysis, process mapping, risk management, data analysis skills (and so much more); we’ve done that almost in secret, then we’ve answered the legal question.
So we’re calling on all Data Protection professionals:
Reveal your inner superhero skills and powers!
Let’s shout about those skills first and foremost.
Or if we’re feeling?really?manipulative… sorry,?influential(!)…then we can reveal and shout about?only?those skills, and stay quiet on the data protection part.
If we shout about our business analysis, process mapping, and risk assessment skills, they will be seen more clearly as defining our purpose and benefit to the business.
Which doesn’t mean we’re not still “doing” data protection, but we will be able to drive “data protection by stealth.”
“Data protection by stealth” means having business processes that are data protection compliant, almost without anyone realising, because the compliance is so “baked-in” that it is an inextricable part of the process, not an add-on that feels clunky.
This is the goal we have for our own organisations and clients, very much in the same way as safe working practices have become the norm in construction.
Our tips for baking-in data protection to all processes in your organisation include:
If this sounds like a lot of extra work on top of an already busy workload, we completely sympathise, so here are a few ideas about how to make this work for you.
Next steps
“The way to get started is to quit talking and begin doing.”
~ Walt Disney
We can’t promise that every organisation and business is going to appreciate your skills, and your ability to be a builder, not a blocker. But that doesn’t mean it isn’t worth revealing your inner superhero to show your colleagues (or maybe even a new employer…) the immense value you can, and do, bring to the business.
Your mission, if you choose to accept it, is to stop talking and begin doing…and we are here to be your accountability buddies and cheer you on.
Contact us in the coming days, weeks, and months, to let us know how you are getting on with going from Blocker to Builder.
Find us on LinkedIn, we can’t wait to hear how you’re getting on, or how we can help you:?Luke Beckley ?and?Clare Paterson .
Join The Hive ?– free group on LinkedIn and meeting monthly online.
Data Protection & Governance dude | Founding member of Data Protection City | unCommon Sense "creative" | Proud dad of 2 daughters
1 年Or From lawyer mindset To engineering mindset ?? I can't refrain of posting this, even if I don't intend to offend my respected lawyer connections ??
Esemplastic, call me! CISO/Head of Service Delivery, DPO, Cyber InfoSec, IG/GDPR, Programme Director, Projects/Turnaround, Business Relationship Manager
1 年I try to offer guidance to enable and a hard pause when needed. I protect business operations from 'unnecessary noise ' while encouraging practice that keeps audit and risk happy. What else but to be happy and protected?
Data Protection Manager, AIGP
1 年Really enjoyed the article Clare, we can often be quite isolated in organisations so hearing about other DPO’s experiences is always really useful. You’ve explored really well the type of ‘critical friend’ relationship we need to have with our organisations. Thanks for the read!
After 25 years in digital asset creation and team development, I now explore the dynamic between humans and technology. MSc Cyberpsychology, Ethics, Privacy, Security, and AI.
1 年Agreed!! DPOs build business opportunities and brand value. Trust is a foundational part of any effort to reduce churn and to build a community ... brand management!!!