Before the General Data Protection Regulation (GDPR) came into force in May 2018, typical businesses gave little thought to their data protection compliance obligations. Responsibility for compliance often sat with the in-house lawyer or the compliance manager, the Data Protection Act 1998 (DPA 98) was little understood and a tick box approach to compliance was followed.
Times have changed, however. Data protection is now a board-level issue and private organisations are taking compliance seriously. The role of the Data Protection Officer (DPO) has become an important one in business and they are driving positive change. This is partly down to the requirement to comply, but also, in my opinion, because organisations, especially consumer businesses, want to build trust with customers.
In short, a combination of the GDPR coming into force and consumer expectations. Good privacy is now seen as a selling point and organisations are paying better attention to data protection as consumers become more aware of their rights.
The implementation of GDPR on 25th May 2018 felt like a radical change to many businesses. In truth, it was more an evolutionary development, but it felt bigger for a number of reasons. Firstly, the scale of potential fines increased considerably; secondly, businesses were not really compliant with the old law, and therefore the amount of work to ‘catch up’ felt bigger, and thirdly the GDPR placed a number of proactive obligations on organisations.
These obligations included the need to carry out data protection impact assessments in certain circumstances, to create records of processing activities, to implement data processing agreements and, in some cases to designate a DPO. They also included less tangible obligations such as implementing ‘appropriate’ measures, ensuring ‘data protection by design’ and demonstrating ‘accountability’.
Accountability is probably the biggest change because it drives proactive data protection management rather than reactive box-ticking. It requires senior leadership involvement and positive engagement with the topic. When that happens, the benefits of good data protection are recognised. Data protection goes from being a compliance burden to an opportunity. Who better to help ensure this opportunity is realised than the DPO?
Accountability & DPOs
Accountability is not a new concept; it can be traced back to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and was arguably an implicit requirement in the DPA 98.
GDPR has brought accountability front and centre now, though, by making it an explicit legal obligation.
GDPR also introduced a mandatory requirement to designate a DPO in specific circumstances. Any organisation can designate a DPO voluntarily if they wish to do so, but they are mandated to if they meet the criteria set out in Article 37.
Some countries are more familiar with the DPO role, such as in Germany where the requirement to designate a DPO is stricter than required by GDPR. Here in the UK the DPO role was less well understood in the private sector, but the need by many companies to designate and to demonstrate accountability has made the DPO role highly significant.
Good people skills
Private businesses can be complex. Leadership goals and ambitions can differ. Shareholders may have their own objectives, especially private equity owners, and strategy and timelines can quickly change.
For this reason, the DPO in the private sector needs to be able to navigate complex structures and nuanced strategic goals. They need to be a good communicator and an even better listener in our opinion. They need to be able to explain ‘why’ something has data protection implications and not just say ‘no’.
These aren’t requirements set out in Article 37 of the GDPR but they are, in our view, critical to gaining buy-in from business stakeholders. Bringing key decision-makers ‘with’ you are always going to be more successful than telling them what ‘they’ must do.
Tone from the top
Accountability starts with senior management and the DPO needs them to set a ‘tone from the top’. They need to be explicit about the importance of data protection, why it is important, and the consequences of non-compliance.
Without board or executive level buy-in, the data protection programme will fail, because employees and managers will prioritise other activities. They will think that the business doesn’t value data protection and they won’t support the DPO’s work.
As we’ve said above, an accomplished DPO will be able to foster buy-in at all levels and engage an organisation in a way that ensures everyone fully understands the importance of data protection. They will only achieve this with a clear tone from the top which makes it clear that good data protection is a strategic priority.
With the need to demonstrate accountability to comply with the GDPR and increasing consumer expectations, businesses have a great opportunity to build a positive data protection culture.
The Data Protection Officer (DPO) should sit at the heart of this activity. They will require good people skills, in our experience, but most importantly they require senior management support. With good executive buy-in and explicit support, the DPO can successfully drive positive change in private businesses. We have more information here about whether to hire an in-house DPO or outsource a DPO.
As a specialist data protection consultancy, Evalian is well placed to assist you with navigating the complexities of the uncertainty and constantly changing data protection landscape. If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.