Why More Staff In Your Privacy Team Will Not Help?
Punit Bhatia ?? ??
Managing Consultant at FIT4PRIVACY | Making Privacy, Data & AI Compliance and Sourcing Hassle-Free | Host of the FIT4PRIVACY Podcast ???| Published Author ?? | Keynote Speaker
In a world wherein we are used to instant fixes, adding more staff into the privacy team may seem the obvious solution to manage the situation of overwhelm that we all go through. However, a more pragmatic and strategic approach will be to work on creating a culture of privacy by aligning with executive leadership, getting business managers to own up on privacy matters and guiding staff on when and where you and your privacy team needs to be consulted.
The Role of Data Protection Officer (DPO) - As It Should Be.
The role of a DPO as per the law is very clearly articulated. As DPO, you must inform and advise the organisation on data protection compliance matters while monitoring the state of compliance. A direct interpretation would mean that the role of DPO does not include decision making and doing things. For example, it is not the responsibility of the DPO to perform a Data Protection Impact Assessment. To execute the stated obligations itself is a challenge because it requires an in-depth understanding of the law, being able to make interpretations and having the capability to understand the business needs. And, performing the role is no easy task as it requires one to be a champion in privacy laws, having a decent understanding of other laws, the ability to have communications across various levels of the organization, being able to manage stakeholders and be street smart when it comes to being the point of contact for supervisory authorities. So, make no mistake that it is already a lot to expect from one single person. So, it is natural that an organization would need DPO to be supported and provided with additional resources so that the DPO role can be executed, and privacy compliance demonstrated.
The Role Of DPO in Reality and its challenges.
Whilst there is the DPO role as defined in the EU GDPR, the reality of what DPO does and is expected to do is different. So, to really understand from the perspective of those on the ground, I carried out a short research project at the end of 2020 and the beginning of 2021. As part of this, I spoke to more than 15 privacy professionals and asked what their challenges, frustrations, fears, and aspirations were. And, it was fascinating to learn and have a validation that most of the challenges of a DPO role remain similar irrespective of organization, sector, and country. The commonly stated strategic challenges included:
- Buy-in from executive management. Getting the right attention and executive focus on privacy matters remains the key challenge for most DPOs. Of course, it includes the need for budgets to get the necessary resources and support for effective execution.
- Engagement with staff and management. Convincing business stakeholders to take ownership of privacy actions and consult DPOs proactively is the challenge that results in a lack of engagement with management, and eventually their staff.
- Right positioning. To clarify that DPO role is that of advisory and not decision making is a challenge that results in diversion of focus from monitoring compliance to being busy with day-to-day issues. This means DPO tend not to define privacy strategy or stay in firefighting mode.
And, in these circumstances when you are overwhelmed with work, cannot find enough time to further your strategy (if you have one), and start taking this personally, it is natural to think that adding more staff into your privacy team seems a logical solution but it is not the solution. This is because it continues the executive leadership to consider that you have all you need, and the organization is doing well on privacy compliance. As this happens, your challenge to engage staff, and get them to own privacy matters remains. Worst still, they continue to rely on you to manage privacy and the gap between the privacy team and business teams remains. So, let us see what you need to put in place before you expand your privacy team.
A Strategic Approach To Privacy Can Help You
It is always imperative that you look at solving problems from a strategic perspective, or more simply a root cause perspective. Adding staff is an operational approach. Or, at best, a tactical approach. In my view, this needs to be managed from three dimensions and these are:
- Develop a privacy strategy with executive leadership. This means aligning with the executive leadership in your company to create awareness of obligations and opportunities. Once you do this yourself or via an outside-in approach, you can create a privacy policy and get buy-in from your leadership to implement this via a privacy strategy that is focused on business and customer perspective.
- Create a network of privacy champions and define a set of privacy controls. This means onboarding the next level management in your organization to collaboratively create a network wherein key business stakeholders will play a part in the realization of privacy strategy. As you do this, you can also define a set of controls that will measure the success of this privacy strategy. While this allows you to fulfil monitoring obligation, management knows what they need to live up to and your executive leadership will get a handle on what are the risks and where they need to focus their attention.
- Describe the privacy responsibilities to specific functions and all staff. This means creating awareness amongst key teams like marketing, human resources, IT, procurement etc about what they need to do (from a privacy perspective) in the context of their day-to-day jobs. The objective is to focus on integrating privacy requirements into their job through scenarios and letting them be aware enough to manage things while coming to you and your team when in doubt.
In my experience, most privacy professionals focus on explaining privacy in hope that others will understand privacy matters. However, the real need is to elaborate on why privacy matters, what are scenarios in which you have a role so that they know when to consult you. The objective needs to be to make them aware because you and your team are the experts who can help but for that to happen, they need to come to you.
The FIT4PRIVACY Podcast - for those who care about privacy
Keepabl's SaaS is Privacy-in-a-box for busy professionals operationalising governance at their organisation, see how at keepabl.com
3 年Very interesting article as ever Punit Bhatia ??.! Thank you. Your recommendations really position the DPO as a strategic business partner, which is something Tom McNamara came on Privacy Kitchen to discuss (also the 'conflict / in practice' part which it looks like we agree on too). It's a very live topic of debate and going the strategic business parter route is a clear direction and one where the DPO's unique view of the organisation gives them a real advantage. Personally, I also always repeat - if you don't need a DPO under applicable law, don't use that title for the person. Everyone needs a Privacy Champion, just don't call them DPO if you don't need to (or really want to for other reasons) so you avoid the conflict piece.
Privacy Consultant | Son | Husband | Amateur chef
3 年I LOVE READING YOUR INSIGHTFUL THOUGHTS
Data Management & Data Protection | Data Privacy | Imperial College | Financial Services | HealthTech | Tech | Marketing | Regulatory Compliance |
3 年Well, you are arguing that the DPO is in day-to-day fire-fighting mode, then of course, the DPO will need to bring in more resource, if there isn't sufficient resource to work on "strategy". Although I'll hold back on putting forward and advocating that DPOs need to do "strategy". I think there this is a wider data management issue and regulatory compliance issue to solve for, rather than a data privacy issue alone.