• Thomas Bolliger, Partner |

GDPR gives Data Protection Officers a hard time: How can they tackle it?

It’s sink or swim for DPOs as the GDPR creates a tsunami of challenges. With the stakes high, DPOs face great personal risk if they get it wrong. Still, they lack the resources, in-house know-how and authority to pull together the necessary expertise to deal with the rising tide of urgent requests.

Little capacity for high volume and growing administration

The GDPR places a heavy burden of responsibility on the Data Protection Officers’ (DPO) shoulders. They’re facing unprecedented peak loads of data subject requests and/or must deal with the time-consuming consequences of data breaches. Meanwhile, more time is required for administrative tasks such as data minimization, regular liaison with data owners, implementing and setting up the newly required processes, administering the records of processing activities and documenting the result.

Because the DPO role is often imposed on legal or compliance staff in addition to their existing jobs, they lack the resources to handle these tasks.

Broad spectrum of expertise required

Most organizations and DPOs do not have access to the broad range of necessary skills in the areas of data management, cyber security, legal and compliance, risk management and audit. Yet, these skills are critical to running complex compliance frameworks and especially Data Protection Impact Assessments.

In fact, many DPOs might’ve just taken over the function ad interim without having had time to attend adequate training because their company is still transitioning into GDPR compliant data privacy organization and governance. Moreover, companies are still recruiting to fill the DPO position – a position that’s new to them. No easy task. Finding the right blend of experience and skill is difficult on the current market as data privacy professionals are highly sought after thanks to the GDPR.

High stakes: reputational and personal risk

Data protection issues can trigger huge fines with cases of non-compliance reaching up to 20 million euros or 4 percent of annual turnover.

As a result, DPOs face growing pressure and higher expectations from both management and employees. On the one hand, they’re under pressure to avoid data protection issues such as data breaches. On the other, they’re expected to facilitate a rising volume of data subject requests. Furthermore, public awareness of these issues has risen putting on additional pressure to such an extent that DPOs are well advised to handle all time-critical data protection issues immediately to avoid reputational risks.

Sink or swim: What steps can DPOs take today?

Despite the overwhelming demands and lack of resources, there are a few key steps DPOs can take to begin to successfully tackle some of these challenges.

Step 1: Set up governance and gain access to subject-matter experts

As a DPO, make sure you get support. Therefore define the different tasks, roles and responsibilities to establish a privacy governance. Build a virtual, internal privacy management organization with the support of top management and distribute the work to many people. Make sure you get access to data protection experts as well as specialists in cyber, audit, compliance and IT inside and/or outside of your organization. This will improve your multidisciplinary knowledge about data protection issues and will help you to handle and provide comprehensive solutions for data protection-related business cases.

Step 2: Organize your workflows and outsource

Set up a central point of contact for the operational handling of data protection specific requests such as for data subject rights (deletion, rectification, access, portability) and for data protection impact assessments.

Keep in mind that GDPR allows for the outsourcing of these types of activities, which may reduce your administrational overload and cost. It’s dealing with the sheer volume of data requests that demands high administrational effort on the part of DPOs.

Step 3: Automate GDPR management

DPOs are currently handling tasks manually. However, many of these tasks could be automated to save time and money. This means that you automate processes that reoccur and ensure the continuous execution of such processes such as for example:

  • Training on a continuous basis
  • Conducting periodic status queries (i.e. Is data minimization being performed?)
  • Reviewing risks and effectiveness of controls
  • Preparing management reports
  • Ensuring automatically that roles and responsibilities are filled and permanently assigned (fluctuation)
  • Entering and maintaining processing records

To make the DPO’s life a little bit easier, we’ve put together a portfolio of DPO support services to assist you.