The Data Protection Officer's Role

Dear all

It's been a hard week this last week, a few issues I had to get my head around, negotiations, worries and concerns concerning my work... but all seems to be coming together now and hopefully I can move forward with more confidence and put my worries behind me. It isn't easy being a Data Protection Officer at times, the demands are high, you have to ensure that companies, directors and people are protected and that also means complying with regulations, standards and legislation. Get it wrong and your head is on the block, get it right and everyone is happy, although they don't always know it when you get it right, because often your work is nearly silent. People don't always recognise subtle tweaks in their companies that help you to comply with the Law.

We're moving onto this week's subject, that of being a Data Protection Officer and first and foremost it is right for you to know who you are protecting with regards to legislation and rights. You are there to protect the company you work for, their employees, their directors, shareholders, their clients and also client's data subjects, it isn't often whereby a person acting in a company is responsible for the data welfare of others outside of your company but being a data protection officer brings extra responsibilities, in all you are there to protect everyone from data misuse.

I could go into many examples of data misuse from companies around the globe, the most recent being British Airways being fined £20 Million for allowing their customer's data to be breached. The GDPR serves as a reminder to us all to protect our client's data, especially when it involves financial or special category data such as health data. I feel that the GDPR is a very fair machine and is there to protect the data rights and data freedoms of you and I, it is there as a protection mechanism to ensure that companies abide by the rules and, most importantly, apply appropriate security to personal data. Fall foul of information security requirements and you will more than likely face a data breach, and it is this which get's companies into trouble with the UK Information Commissioner, the ICO.

The Data Protection Act is there to protect us all also and with the GDPR there are stated regulations that also protect the Data Protection Officer, you are not alone in the fight for data security. The ICO (Information Commissioner's Office), the GDPR and Data Protection Act (DPA) are there to protect you in your role. It is important to mention that the GDPR and DPA both protect you and you should read chapter 4, section 70 of the Data Protection Act and also Article 38 of the GDPR, that should give you a degree of confidence in your role, the Law is there to protect you and you should remember that.

We'll move onto the finer points of section 70. The data processor or controller must ensure that the Data Protection Officer is involved in all issues regarding data protection. If you feel that you are not being included, then you must say. Involvement in all issues regarding personal data must be discussed and encouraged. If you are not being included then you must put your hand up and say so, be included, get involved and you will discover much more to a company operation than if you were to stay quiet. Sometimes I have been involved, other times not and it is when I haven't been involved is where I dig a little deeper, it can be surprising what you may find. It is this situation that you must be aware of, don't hide away, ask for information, ask for access to processes and ask to get involved.

The data controller or processor must provide the Data Protection Officer with resources, training and access to personal data. I have been very well supported in my role and feel that you should also be in yours. If you need some training don't be afraid of putting your hand up and saying so. There is so much written legislation with the GDPR and DPA so it's right that you say if you feel overwhelmed. The Data Protection Officer (DPO) has such a demanding role to play, it is right that you seek the advice of others too. I seek advice from one of my director friends and she is always willing to help and support me in this role, which is hugely gratifying and most welcome. You also need that support.

One of the fundamental challenges of being a DPO is treading lightly where possible, being a DPO involves 'treading on toes' now and again for the protection of people and the company, you should not be afraid to mention issues that you feel are controversial because the DPA protects you. You cannot be dismissed for doing your job and the DPA and GDPR both say this. So go about your job with confidence knowing that the Law is on your side. You cannot go wrong trying to protect people, even if you overstate the requirements, it is better being safe than sorry.

Finally the Data Protection Officer must report to the highest levels of management as stated in both the GDPR and DPA, you may find, as I did that middle managers can get in the way of your requirements, trying to disregard your work as unimportant. You must report to the highest level of management, as I do in my role. You are then able to get your requirements met, as long as you satisfy the need for sensibility. Your requests as a DPO must be sensible, backed up by legislation and conviction that you are doing the right thing for the person and the company, should you meet these you'll find your requests granted.

One last thing, it is not in the GDPR or DPA but it's important for you as a DPO. If you raise risks to the company in question and they are indecisive we must take a leaf out of ISO 27001's book, get management to sign off on residual risks, Play your part, present the facts and if nothing is done, you've done your best. You have to make people aware of risks, if you don't you are not doing your job right. Always send reports, Data Protection Impact Assessments, risk assessments and emails to the highest levels in your company. Your job is to protect the directors and shareholders and you should inform them of any potential issues. Don't be afraid of doing your job, do your job and the Law will protect you.

Best regards


Steven Burgess is an ISO 9001 and ISO 27001 Consultant to companies in the UK and also a Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.