What Does a DPO Do?

Faced with the requirement of retaining a Data Protection Officer (DPO), it is important to understand their role.

Regulatory language describing the duties of a DPO list the following:

• Monitor compliance with relevant regulations and with the company’s own policies in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
• Inform and advise client and client employees responsible for handling personal data
• Provide advice in the conduct of a data protection impact assessment
• Cooperate with regulatory authorities, and act as their point of contact on issues relating to the protection and processing of personal data.

The above list, however, implies that a DPO is inheriting an existing privacy and data protection program. Because organizations more often hire a DPO to help them build such a program, the following list is more practical:

• Initial assessment of the means of collection, use, storage, sharing and retention of personal data, as well as an inventorying of the location of personal data within the organization, and the personnel interacting with it
• Initial assessment of public-facing privacy policies, and operational alignment of opt-in/out-out Data Subject preference mechanisms
• Initial recommendations for aligning relevant aspects of information management with privacy and data protection requirements, best practices, and public-facing assurances
• Evaluation and recommendations related to data processor and/or subcontractor agreements
• Create, review and/or modify privacy notices, consent forms and policies
• Create policies and procedures for managing Data Subject access requests
• Develop systems for monitoring privacy and data protection activities and perform privacy and data protection impact assessments as needed
• Provide tools for required staff training
• Serve as point of contact for client’s customers’ privacy compliance officials, as well as privacy and data protection authorities
• Monitor and inform client of developments in all relevant privacy and data protection regulations, including risks and opportunities represented thereby
• Oversee data security breach investigations, and advise on appropriate follow-up

How a DPO is more than a DPO?

Optimally, a DPO becomes more than a DPO by providing value beyond the basic duties.

A DPO’s experience and acumen can, for instance, enhance strategic positioning, customer loyalty, contract negotiations, and RFP responses, and in that way, a DPO can also distinguish a service provider from its competitors, especially when their customers’ regulatory compliance is dependent upon the service provider having a DPO.

Equally valuable, a DPO with an awareness of regulatory principles, a respected pedigree, and an aggressive approach to monitoring regulatory initiatives, can actively represent controllers’ and processors’ interests when emerging regulations make their way through legislative approvals and rulemaking.

In this more expansive role, a DPO should be able to:

• Provide coaching to management, operations, sales and other authorized staff
• Align sales and marketing with emerging regulations
• Assist with RFP & contract evaluations and responses
• Monitor developing regulations and interface with policy-makers when warranted
• Help prepare clients to capitalize on imminent regulatory changes
• Participate in webinars for clients’ employees and customers on privacy and data protection issues
• Present at national and international events to improve their standing

There is little doubt – regardless of what it is called – that all organizations entrusted with personal data will eventually have a qualified Data Protection Officer. It is equally certain that, due to its highly specialized nature and the associated financial benefits, this function will typically be outsourced.

The only real decision, therefore, is whether this reality is embraced now as a tool for differentiation and growth, or if the decision is delayed until those who seized the opportunity early have reaped the benefits.