We recently had the pleasure of taking part in a webinar with experienced data protection experts Sam Smith and Noemí Alonso Calvo, alongside Sypher’s Co-Founder Mihai Ghita, which focused on the practical challenges faced by Data Protection Officers (DPOs) in a new role.
Yes, it's true that being a DPO is not an easy job. You cannot change the world in 100 days, but what you do in those first days and the plans you make for the future can make a difference to your organisation and to you as a professional. Here are the key takeaways from the discussion and steps you can take to make the most of your start.
Spend your first 100 days in your new DPO role understanding the organisation and getting to know the people, well beyond the normal employee onboarding process. From senior management to frontline staff, understanding the day-to-day operations is critical.
The aim is to bridge the knowledge gap and translate potentially complex operations into clear activity and data mapping. Furthermore, it is important to be able to translate this business knowledge into legal jargon and vice versa.
|Noemi’s tip: The job of Sherlock Holmes, as she puts it, is to find the right contacts for effective communication and collaboration. Find a reliable point of contact, your "Watson," who can interpret organisational structures and be your support for the work to be done.|
Getting executive buy-in is key. Boards want to mitigate risk, protect brand reputation and ensure that services comply with privacy principles. It's about building trust and presenting solutions, not just highlighting risks.
That's why it's important to understand an organisation's appetite for risk. No one is 100% compliant with all privacy regulations. What's more, technology is now one step ahead of the law (just think of AI, with its many remits and unknowns!). Assess which high-risk, high-impact activities you should focus on as a priority and formulate a plan. Ultimately, it's the organisation that accepts the risk. You, as the DPO, need to advise on the possible consequences and actions to be taken. Think of yourself as an independent advisor. Some boards will only be interested in doing the minimum legally required to avoid fines and comply with mandatory regulations. Others will want to do more, even turning data protection into a competitive advantage.
Bring both your personality and the issues your stakeholders care about to the table to engage them. In this way, you can begin to build trust in the privacy function.
It's also very important to have a plan - a privacy roadmap - and to show progress - you've been hired, that's a first step, then you need to prove that you're making a difference, that's another thing you need to keep in mind when you engage with the executive team.
All emphasised the role of training internal teams as resources. Training and awareness programmes are the backbone of successful data protection initiatives. A workforce that understands privacy is a powerful asset. From department managers to front-line employees. You know what they say... a chain is only as strong as its weakest link.
This is especially true for a DPO when it comes to identifying the changes that need to be made. Implementing change is a significant challenge, especially for a new DPO. You need to effectively communicate the reasons for the change and use the relationships you've built (that's why it's so important to build them!) to gain support.
|Sam’s tip: Creating a brand around privacy can help you to spread awareness in a relatable way. The role of the data protection team is to make privacy more accessible, fostering a culture of awareness across the organisation without using legal jargon, so that everyone can relate to it.|
Besides, being a DPO can be a lonely job without the right support - work with the business, not against it. Make sure people understand that you're there to support them, not put up barriers to new projects they're excited about.
In many organisations, you are the only privacy resource and that's it. Aside from creating a privacy culture and having everyone contribute to privacy as a first line of defence, having a tool at your disposal can be a golden ticket. Provided, of course, that it is the right fit for your organisation and you know what outcomes it will help you achieve. Make sure you do your research well.
It's up to you to influence, adopt or create tools that help you automate tasks and manage a privacy programme more effectively and efficiently. This is strategic implementation, beyond the first 100 days and for the long term - to help you grow and refine your privacy programme.
It's also true that sometimes you come into a new DPO position and find that you inherit some tools. In most cases, you have to stick with those tools because the organisation has already invested and doesn't want to throw it all away. Make the best of it, it's certainly better than just a spreadsheet.
Achieving perfect compliance is a fleeting goal. Yes, you need to be aware of the key regulations that affect your business and know what you need to do to avoid the biggest fines. For example, in terms of regulations, GDPR is still the gold standard, so you can look to that first and then the next regions that are important to your business.
Success can be measured in many ways - one of them is to look at training and awareness (and different KPIs around this), with the aim of creating a culture where data protection is embedded in processes. This translates into a solid reputation for privacy, which, as mentioned earlier, can become a competitive advantage.
A massive win is when the privacy team becomes the go-to resource for new projects, indicating a cultural shift towards privacy awareness. In other words, as a DPO, you want to be in a position where people proactively come to you and your team to ask questions and seek guidance.
All in all, the webinar highlights the dynamic role of a DPO and the start of the journey to establishing a robust privacy management programme that remains relevant as business and regulations change.
|Mihai’s tip: The actions DPOs take in the first few months and the results they deliver have a big impact on how they are perceived (by management, by their peers) and how successful they are in their job going forward, in formalising the programme. So it's all the more important to get the baseline right and build a solid compliance foundation that can be recalibrated and optimised over time.|
The experts' insights provide valuable guidance for those navigating the challenges of the first 100 days in this pivotal role. Hear them all, as well as live audience questions, in the full webinar recording, courtesy of GRC World Forum.
Sam Smith, qualified Solicitor and CIPM accredited with extensive knowledge of GDPR and international privacy and data protection laws, currently Group DPO & Head of Data Compliance at Merlin Entertainments.