How much DPO time is right for me?
Data protection officers (DPOs) are often seen as secret weapons in an organisations’ operations arsenal. When done right, they can quickly and effectively make the headache of managing your data protection obligations go away – leaving you free to focus on running your business. But how do you know much DPO time you need? And why? That’s what I’m looking at in this blog.
How much DPO time do I need?
The amount of time needed of course varies on the size of your business, the nature of your operations and how often things change, but in my experience there is a great starting point that seems to be universal for most SMEs: 1 day per month.
If you’re one of those organisations who are really in a bad place, I’d recommend combing DPO services with some GDPR compliance support. Get your GDPR sorted as an initial project, and then let the DPO take care of it all ongoing.
Let’s look more closely at what a DPO does to find out where 1 day per month comes from.
What does a DPO do?
1. Keeping up-to-date with changes
First up is keeping up to date with any new processing that’s taking place. For example, if your company decides to start collecting additional personal data from its customers, this needs to be recorded in the record of processing and a lawful basis needs to be established. Depending on the type of personal data being processed, there may be a need to conduct a data protection impact assessment, which is a risk assessment or a Legitimate interest assessment if Legitimate Interests is the lawful basis chosen. All of these needs to be recorded and documented every time something changes. Equally, if you stop some processing, your ROPA should reflect the change.
2. Updating documentation
It probably won’t surprise you to read that there is a lot of documentation to keep up to date with the GDPR, and all GDPR documentation should be reviewed at least annually. This is something your DPO can take off your plate. A sensible approach is to review at different times in the year so that there isn’t a pile of docs to review all in the same month – so spreading it out on a monthly basis helps to keep the workload to something that’s manageable. Some docs, like your data breach register and privacy notice will change more frequently and so will need attention as the need arises.
3. Legislation updates
The GDPR is law in both the UK and the EU, and legal cases in both territories bring new perspectives on how the law is interpreted. The European Data Protection Board also regularly reviews aspects of the GDPR and provides detailed guidance on how the law should be interpreted. Keeping on top of this should be an activity a DPO is doing monthly to ensure that guidelines and latest advice are being followed – and working out the impacts to your organisation.
4. Data breach support
Something that surprises a lot of people when I tell them this, is that data breaches actually happen fairly regularly. Thankfully, most of the time they’re fairly minor – think someone emailing the wrong person. But all breaches should be investigated and recorded in the breach register. People who have been responsible for the breach may need further training and reminding of their GDPR responsibilities as well. For more serious breaches, there could be a lot of work involved to fully investigate what happened, identify exactly who has been affected, implement mitigation measures and report the breach to the Supervisory Authority. Plus then follow up with any investigation that may result by the Supervisory Authority. There may also be a need to notify data subjects..
The GDPR gives data subjects a number of rights, and the one that most people know about is the right to access. This is where an individual can ask a company to provide any personal data that they hold about the data subject to them. This is called a data subject access request (DSAR, or sometimes just a SAR), and can be an extremely detailed and time-consuming process. Your company will need to search your documentation, your email communications, and chat (e.g. MS Teams) for anything that may be relevant. Needless to say, your DPO being responsible for overseeing this saves you many hours of work: responding to the data subject, reviewing documentation to be sent, ensuring documentation has been redacted etc – all within the one calendar month deadline. There are of course other data subject rights such as the right to erasure – where again the DPO may be required to be involved in helping the data subject exercise these rights, while also ensuring the company is protected and the correct actions are taken.
6. Due diligence
This one is a big one, and is something that’s growing quickly in terms of the amount of time DPOs are spending on this. Due diligence is a two-way street. As a company, the DPO should be involved when new suppliers are onboarded to ensure they meet GDPR requirements. This will involve the DPO asking some key questions about the supplier and reviewing any documentation such as privacy notices, data processing agreements, contracts, etc. They may design a customised due diligence questionnaire for this and develop risk scoring to determine how to assess a supplier in a consistent way. In the same way, the DPO of a company will also have to deal with any incoming due dil requests made by their customers. This may involve completing a GDPR questionnaire and providing evidence that the company is compliant.
7. Training and awareness
This is something that easily gets overlooked in a business. And whilst it’s not necessarily something that happens on a monthly basis, training is a requirement. DPOs are responsible for designing and developing the training needed for a company to ensure its staff understand their responsibilities under the GDPR and any other data protection frameworks. This may involve annual training, or even more frequent training or reminders via company communications.
8. Queries and advice
The DPO is the go-to person for any GDPR queries and questions that may arise throughout the business. For example, your marketing team may need to understand whether they can send a marketing email to customers, someone may have received a request from a customer to erase some data, the company may be thinking of buying another company and will need advice on how personal data can be handled in this situation. These are just a few examples - the list is long and a good DPO will make themselves available to support the business in answering these questions to ensure your business stays on the right side of the law.
9. Working with the business
A good DPO will be working closely with all parts of the business to ensure that data protection by design is being implemented. By this I mean things like data protection considerations are being made during the planning stages of projects, and not bolted on afterwards. This helps to prevent data protection issues and avoids having to awkwardly try to integrate data protection safeguards after the event. The DPO therefore needs to be very plugged into what is happening across all departments and be providing guidance to teams to ensure data protection is suitable considered.
Working smarter, not harder
For most SMEs, doing all this to a good standard takes around a day per month. If your business is particularly complex, or interfaces with a lot of personal data, or if you’ve never done anything with data protection, then perhaps a bit more. One of the main benefits of an outsourced services vs an internal hire is that you can flex your DPO time to meet your actual requirements. This means you’re not over-paying, or under-delivering. Enterprises also benefit from this right-sized approach as a means to supplement their internal data protection officers at busy periods.
A good DPO will also work with your CISO (or virtual CISO) to see where efficiencies and synergies can be found. For example, making sure your penetration test includes the systems that interact with personal data to ensure compliance with Article 32 of the GDPR, or combining GDPR training with your annual security training to minimise operational impact.
As our customers like to tell me, getting all this for 1 day a month is a bargain.
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.