There are a number of new roles under the EU’s General Data Protection Regulation (GDPR), like the roles of controller and processor. Probably the one that most people are familiar with is the data protection officer (DPO), the person within the organisation who is responsible for monitoring internal compliance with GDPR, and who provides advice about data privacy and data protection. This role is mandatory[i] in organisations that carry out certain types of data processing, but plenty of other organisations have decided that they would rather be safe than sorry, and have also appointed someone to this role.
DPOs are required to be experts in data privacy and data protection, including the latest legislation, jurisprudence and best practices, and report to the highest levels of management. They must also be independent, which means that the organisation cannot ask them to do anything that conflicts with their advisory role, such as determining the business reasons for processing personal data. In other words, if they did have a role in processing data before their appointment as DPO, this will need to stop.
This is a bit of a challenge for many organisations. The people who traditionally know most about the effective use of data are usually the people who are doing the most data processing – because they are the ones who need to know. Now, though, DPOs are introduced, and they are there to make sure that the organisation is compliant with the GDPR. Their expertise is, necessarily, in data privacy and data protection, and not in the business. No compliance officer can be expected to understand the business context of every situation. In order to make the right decisions about the use of (personal identifiable information, PII) data, however, organisations need both expertise in data privacy and data protection and an understanding of the business context.
#DPO is expert in #DataPrivacy & protection and must be independent. Privacy champions network can add knowledge about the business and IT. #gdpr Click To TweetIntroducing the privacy champions network
Many organisations, SAS included, have come to the conclusion that they need another role. SAS, for example, has created the role of privacy champion – or, rather, a network of privacy champions across the organisation (full disclosure: I am one of SAS’ privacy champions). These privacy champions have the role of ensuring that the company is making responsible yet commercially viable decisions about how to use (PII) data. This is, in other words, very much the front line of GDPR implementation, where decisions are made on a daily basis about how (PII) data can, and should be, used.
What is crucial about the role of privacy champion is that we have both data privacy and data protection knowledge and knowledge about the business, as well as an understanding of IT. A fit-for-purpose network of privacy champions needs to understand data privacy and data protection – and for that, we can also draw on the expertise of the DPO – and also understand the business and IT functions and capabilities. The network therefore includes representatives from all functions, such as sales, HR, professional services and delivery, and finance. By doing this, we can ensure that decisions about (PII) data use will be made in the right context, and with a full understanding of the business problem and opportunity.
In many organisations, the privacy champion role includes being the first point of contact for data privacy and data protection questions, liaising with the DPO if necessary. Privacy champions are also likely to be the point of contact for the DPO inside the line-of-business functions. The role might also include publicising training and awareness activity on data privacy and data protection.
These are the obvious functions, and largely administrative. Over time, though, I think – and hope – that the privacy champions network will become more than that. Over time, I think it will develop into a network of advocates for both guarding the privacy of our customers and the creative use of data. It will be the eyes and ears of the DPO on the ground, but also the window for the business into the use of data. It will, in effect, be the group responsible for creating a new culture of data awareness and understanding in the organisation, making sure that business users are aware of and buy in to the new world of GDPR.
Strengthening the fabric of data privacy
There are a number of organisations that view the GDPR implementation very much as a threat. Others, however, see it as an opportunity, albeit one that needs a considerable amount of care. Privacy champions are part of both guarding against any threat of noncompliance and also ensuring that the company can take advantage of the opportunities presented by the huge amount of data that is increasingly available.
[i] See https://www.privacy-regulation.eu/en/article-37-designation-of-the-data-protection-officer-GDPR.htm