*Image credit to Star Wars, part of Disney - also a spoiler, I make references to the Jedi*
I am often asked what makes a good Data Protection Officer. Or rather, “what are the requirements and expectations of a Data Protection Officer?”. “What does the GDPR mean when it says X” or “what is the ICO’s view on a DPO for Y”. And all are valid questions with perfectly valid answers in both what the GDPR states, the DPA 2018 states and what supporting guidance states. But what does that actually mean in the real world? When you are facing the everyday challenges that we DPOs face each day, what does ‘appropriate’ mean?
Indulge me a little bit as I explore what I think are the more useful requirements and skills of a DPO, through the medium of the Jedi religion.
I refer to myself as an information Jedi. And I do that for a number of reasons. First and foremost, I hate the word consultant or ‘subject matter expert’. I have a passion for what I do and I’ve cut my teeth on a few things, nothing more. Secondly, as a believer in the power that information can have, I also believe in its good and bad sides (just like the force) and believe there are people that use it for both good and bad purposes (Jedi vs Sith). And being a geek, of course, I am going to relate to something uber geeky. That is my map of the world, and while I’m not looking to convert you, just take a look at some of the core parts and see if you, as someone that works with Data Protection, embody some of these traits and skills. And if not, why not?
Let’s start with the formal requirements of a ‘Data Protection Officer (DPO)’, as defined and outlined in the GDPR. Articles 37, 38 & 39 outline the tasks and position of the DPO which all revolve around advising and supporting the business, data subjects and the ICO. I’ve summarised these below with any relevant notes from the Article 29 Working Party (now the Data Protection Board).
Article 37: Talks about the designation of the DPO and when you do indeed need one. In short, if you are a public authority as defined by the FOIA2000 or doing anything that is just intrusive (using special categories and/or large scale monitoring of people) then you are likely to legally require one. Especially if using that 'intrusive' data is core to what you do / how you make your money then it is very likely that you need an independent voice to keep a check and balance on what you are doing. But remember, as per the guidance from the A29 Working Party on DPOs, if you want one but don't need one, only call them a DPO if you want to opt into the requirements. Otherwise call them something else, Data Protection Jedi maybe?
Article 38: This then talks about the position of the DPO and this caused a lot of excitement when it first came out. Especially the confusion around "The data protection officer shall directly report to the highest management level of the controller or the processor" which the A29 WP guidance clarified by saying this means "access to", and not necessarily that they themselves report directly to the Board (or similar management committee). Which was a shame I feel, I'm pretty sure we could make the argument for 'appropriate resources' for a DPO at director level to be a private office in the Bahamas... Or just our own private secretary!
In short, the DPO should be in a position to enable them to work with all parts of the business, including the Board. Placing them at the bottom of the reporting chain doesn't do the job on a number of fronts so place them somewhere that logically fits within your company structure so that they can crack on with supporting all parts of the business, including the Board.
Article 39: As we all know, there is a stark difference between what the law requires and what is actually deliverable and achievable within an organisation. Especially if you need to move that organisation from a place of ignorance to a place of knowledge and engagement. So how does a DPO do that? Well, there is no golden pill or ultimate Jedi superpower that can do it for you, but there are a number of skills and attitudes that can help you. And remember, not every Jedi is perfect, even Yoda failed in his goals and traits. But remember, in failure, there are lessons for the greatest teacher is failure.
The Information Commissioner takes the requirements of the GDPR (and those replicated in the DPA 2018) and the guidance from the Article 29 Working Party (now the Data Protection Board) into a useful summary of the 'basic requirements'. The skills below are things that I, and others from various sources, agree are some skills and virtues we DPOs should try to aim for. See if you can spot the resemblance with the Jedi order...
I don’t say this as a ‘you must know everything about Data Protection’, because that is impossible. Even under the old DPA 1998, no one could possibly know all applications and scenarios that would come up as Data Protection has to work with all aspects of life, Government and Business. But a good DPO understands the basics and the fundamentals. The core parts of Data Protection and what they mean so that no matter what the situation, you always have a good basis to start from. For me, these are the Data Protection principles. If you can know and practice these in your everyday work, you start from a good position and can generally land in the right ballpark, regardless of the query or challenge that faces you. I've written recently on one way to remember them, through the joys of music! But anything that works for you, do!
We often have a habit as DPOs (and indeed as human beings) to over complicate things. So start with the basics, and build from there. As Yoda, a very wise Jedi Master often showed to Masters and Knights alike, it is the basic and small things that often make or break a situation. So start with them and build upwards.
I include this one but I also don’t. The GDPR states that a DPO should be experienced but as we are in a brave new world, what does that mean? One thing I’ve found on my travels is that even the most experienced DPOs under DPA1998 are now finding their feet once more under the new. Experience has value, there is no doubt about that, but do not worry if you think you have none. See some of the below skills and embrace them instead. You’ll soon gain experience and be all the wiser for it. I think it is safe to say that we are all finding our feet a little with the 'brave new world' we find ourselves in.
3. Good communicator
I read a book once on the ‘Psychology of Information Security’ and it talked about those who worked in Information Security and how they can, sometimes, work in a vacuum between what is required and what is actually happening in the business. Now, this does not apply to all of us. I know many DPOs that get involved because they want to help. However equally, I also know a growing number of DPOs that got involved because of the power it brings (not unlike the Sith and the Force - although these DPOs aren’t bad, just misguided). Someone once told me that the reason why they enjoy working as a DPO is that they get to say no to people and people have to involve them in things. That isn’t the right attitude, and means actually you’re here for the power, not because you believe in Data Protection (not unlike the Sith).
Therefore, if you’re here because you believe in Data Protection as a business practice and value (and right), then you’ve got to be able to communicate that, and communicate with, the business at all levels. At a Data Protection Forum event I presented at, one delegate asked me “How do I get the business to come to me with their requirements?”. So I replied by asking do you ever go to them? The answer was a stern no as they believed that the business should always come to them. Not so, if you want to win the business over and get your message across then you need to take that message to the people. You need to be out there, spread across the galaxy (the business) keeping the peace, establishing ways for the business to come to you, and selling the message you are trying to sell. Just sitting there and saying ‘this is the law they should be doing it’ achieves nothing. You are dealing with human beings here, write what laws you like they will need hoarding/educating of some description and while you’re sat there waving the flag, no one can see you and no one will buy it.
The same goes for rocking up to management meetings. I freely admit that I am guilty of this in the past, rocking up to a management meeting with a ‘holier than though’ attitude and knocking down every stupid idea that doesn’t align with my idea of Data Protection. Now that is a very tempting thing to do, trust me I have dabbled with the Dark Side many a time and am still tempted by it today. But that achieves nothing (except maybe not being invited back). I am not advocating abandoning our message but instead outlining our message in a manner suitable for that audience (see also the skill of diplomacy).
4. Good listener
Linked to the above is being able to listen and hear what the business is saying. While this has no scientific data to back it up, it has been my experience that many DPOs are problem solvers. Often jumping to a solution or recommendation (in their heads at least) long before the business has finished outlining to them what the problem is. Now that is a skill to cherish, but also to tread carefully. If you’re busy validating your solution in your head or verbally you are not listening to what else the business is telling you. They may well have told you a symptom of the problem, not the problem itself.
One of the many painful lessons I have learnt to date is to be patient, listen and observe what the business (or indeed client) is telling me. Sometimes it is just noise, sometimes it is useful information. But we all say things for a reason. So listen to the language they use, listen for what is important to them and what their concerns are and most importantly, listen for the areas where you both agree and align. Everyone is trying to the right thing based on the resources they have available to them at the time. You can only be one of those resources if you listen and see where you fit in order to support them and their priorities.
I once knew a DPO from Bangor
Who always had a face full of Anger
They tried and they tried to the point that they cried
But the business could see nothing but the Anger
Now that was my very poor attempt at poetry (and indeed the use of Bangor is purely for artistic purposes) but it does reflect an unhelpful trait many of us have. We have all been here, and indeed we will all be here many times before we retire, but the key is what we do when we are there. In those circumstances where the business walks all over us, ignores us, belittles us, or just makes us feel like “what is the point?”. The key is to ask why have we arrived there? What has gone wrong? What can I learn from this to avoid this from occurring again? Was it something I said? Have I missed a priority or concern they have and they have reacted badly because of it? How do I pick myself up from this and continue to fight the good fight because I believe in what I am doing?
If, instead, I just wander around the business with a face like thunder angry at everyone, the business and the world for this curse that is being a DPO, can I really be surprised that your average everyday staff member doesn’t want to engage with me? It is possible, that I am now creating the very scenario and atmosphere that is making me miserable? Take control, change it, make yourself approachable to staff, visible to staff, trusted by staff and soon that will change.
Linked to the above is our ability to be flexible (or pragmatic). The DPO is not responsible for Data Protection Compliance within an organisation. The DPO is there to advise and assist, the business must (and will) walk its own path. Accepting that, and accepting to let go of that natural human instinct to control/own something, is difficult but does allow you to work in a more productive manner for you and the business. It also makes it clear to the business that they cannot palm it all off on you, you are a critical friend and resource, not the person that the blame stops with.
That’s a long slow lesson for the business, but if we are still trying to keep control of it, and portray that to the business, is it any wonder they try and palm responsibility on to us?
Very much linked to the other skills is the ability to be diplomatic (or some may also call this, strategic). There are some ‘battles’ that either is not worth having with this particular party, but maybe another. Or are not worth having at all as they achieve nothing and everyone loses.
There are also times when some degree of tact is needed when dealing with key individuals. You never truly know what is going on in someone's mind, what pressures they face, what issues they are tackling with. Sometimes a little diplomacy and tact in our message, purely in of itself, can go along way in building bridges with key people in the business and getting our message across. A difficult one to master, and you won’t always get it right, but certainly, something to have in the armoury.
As a DPO I was always of the opinion “accept nothing, challenge everything”. If IT says that a laptop that has been stolen was encrypted, that’s nice, but where is the proof? How can we say with certainty that the laptop was encrypted, where is the evidence?
Similarly, when something goes wrong, I rarely accept things at face value. People, for example, don’t just make mistakes. There is a reason for it. Some of them logical, some of them not so, but random human error is very rare. Something causes the majority of them ranging from attitude to work pressures. A good DPO will, therefore, have the inquisitive niggle in their mind. “But why did X happen?”. As I like to call it, the annoying child skill. If you have ever asked a child (or indeed a teenager but they usually aren’t interested in the why, they just don’t want to do it) they will often respond with more than one question of “Why?”. This can go on time and time again but, as an adult, does mean you can get to a reasonable root cause.
Many IG teams / Data Protection teams collect in a lot of data on a range of things. FOI requests, SARs, breaches etc. Many don’t have the time or the resources to review them but I would encourage you to make the time as the insights it can give you are invaluable.
For example, with regards to breaches. Depending on what data you capture you can start to see across months and years when and where are your pressure points. You can also see trends in behaviour for specific teams and indeed specific changes in the business. Someone once told me a restructure has no effect on staff effectiveness. To which I firmly laughed and referred them to the stats I had been collecting that showed a very clear opposite. Every department where redundancies where hitting hard, the number of breaches also had a sharp, out of pattern, increase. While this doesn’t stop them, it does mean you can focus your limited resources on the areas you need to, backed up with real data.
A delegate at an event I was at recently added this one in as we have seen a rise of 'famous' DPOs that tend to brag about what their organisation doing. Now, if you have genuinely gotten it right then well done. You are close to perfection as you can every practically get under Data Protection. But let's be honest, there is no way on God's green earth that you have achieved that in less than 2 years. You may have delivered policies, procedures, training etc, but have you really got a data mature culture? Are all your technological controls monitored and reported on? Do you have oversight of what the business is up to? Probably not. So, coming back to the earlier quality, know what you know and accept that there will be things that you just don't know and things that will continue to bite you in the behind. Such is the nature of the beast. Arrogance was the downfall of the Jedi, do not let it be the downfall of you regardless of how well you've done.
This is by no means an exhaustive list of skills for a DPO, and by no means is it something you should judge yourself by. This is just a list, using a well known pop-culture metaphor, of framing what it means to be a Data Protection Officer and how to forge a career and a value out of it based on my experience and those I've worked with.
If you want to come to any training sessions where I teach skills of the DPO please take a look at the events page of our website.