Head of Governance Legal & Compliance and Data Protection Officer at Great Ormond Street Hospital Children’s Charity
Q1. What do you enjoy most about being a DPO?
The variety of work is probably the most enjoyable aspect of being a DPO. Everything the Charity touches upon, or is impacted by, has a data protection implication. And for those activities or projects where I’m not automatically involved, it definitely serves to pique my curiosity that I can extend my “legal obligation” to involve myself!
I love the challenge of implementing data protection to ensure the Charity achieves its objectives and, given the wide remit of my role, I get to work with everyone, in every Team and at every level. For me, the whole legislative framework is fascinating, and I have been passionately advocating data protection compliance for many years. For many, I know the principle-based nature is frustrating, but I love the debate that naturally follows. Being a DPO forces me to stretch myself (admittedly sometimes to the point where chocolate is a necessity) and provides me with a personal challenge to keep up-to-date with, and on top of what is happening with things I might otherwise dismiss or not have time for.
Q2. What data protection topic(s) would you most like to see updated guidance on and why?
There are a few areas where updated guidance would be beneficial. However, top of my wish list (at this particular moment in time) would be more detailed guidance on information sharing arrangements with third parties across each of the different types of relationships: data controller to data processor; data controller to data controller and joint data controllers.
Although there is guidance available for the common types of arrangements between organisations like the controller to processor relationship, when looking at something a little less ordinary, say, two independent controllers with an element of data processing thrown in for good measure; or a joint data controller arrangement, there seems to be much less available. This can sometimes be quite frustrating and can lead to more misconceptions than I’d hope for.
The misconceptions we commonly come across include a misunderstanding or misuse of the term joint data controllers; or a need by an organisation to insist they are the controller and we are their data processor. Certainly, a good template for an arrangement between joint data controllers would have been really useful recently!
Q3. What was the biggest challenge you had to overcome in 2018?
2018 threw up several challenges from becoming confident in advising on a new legislative regime, to reviewing consent models, contracts and refreshing retention schedules. We survived the biggest change in data protection legislation for years and despite everything the world didn’t end on 25 May 2018! However, I reckon the biggest challenge we overcame was that old classic of time management.
We juggled GDPR implementation with providing an operational service to the Charity and came out the other end – almost unscathed at that. GDPR was for us, like many other organisations, resource intensive. We had detailed and ambitious plans including a full review of data processing activities, documentation overhaul and a training refresh.
We challenged ourselves to stick to these plans as far as was humanly possible and sought to engage our colleagues without overburdening them with additional work. Whereas we were living and breathing GDPR for the months leading up to May and in many ways, we still are, for our colleagues GDPR was more like an interruption to business as usual and we sought to make that interruption as “polite” as possible. They still had their jobs to do and objectives to meet and we still needed to support them in doing so.
I couldn’t be prouder of my small team and what they achieved during 2018 whilst keeping their heads and spirits high.
Q4. What advice would you give to someone looking to move into a DPO role?
Get as much practical experience as possible, ideally in as many sectors as you can. Then understand your organisation, its strategy and objectives, and apply your practical knowledge as much as, if not more than, your legislative knowledge. Legislative knowledge is, obviously, essential however, it’s unlikely you’ll ever win brownie points (other than with your fellow privacy professionals) for being able to quote articles and sections verbatim.
How you apply your knowledge and expertise to real life situations will be your main benchmark. Data protection has a broad description with massive reach that is relevant to every individual. Your role is to help people realise that it does matter, and it is important.
I firmly believe that the art to being a successful and respected DPO is the ability to convert this legislative framework, which is often described to me as complicated, contradictory and unhelpfully vague, into a form and language that is relevant and easier to understand (I’d never profess data protection to be easy!). Use the strengths of your organisation, its culture and values, to your advantage and you’ll be able to implement data protection in a pragmatic way that engages and empowers everyone.
Q5. What do you see as the major challenge(s) in the year ahead?
Let’s get the obvious one out of the way first. Brexit and the challenges faced by organisations on how this will impact their data protection practices. The extent of information shared and received in and across Europe, as well as the incidental impact on any organisations relying upon the EU-US privacy shield as an appropriate mechanism for data sharing with US partners.
Even though we have limited reach outside the UK, it’s something we’ve started looking at. As much as anything, it’s the uncertainty of the level of work, if any, required to be compliant beyond the 29 March 2019 that makes this a challenge.
Whereas 2018 was all about implementation of GDPR, I’d say that the challenge for 2019 is all about embedding, monitoring and enforcing/re-enforcing compliance with everything done during 2018. So much work and effort was put into getting to 25th May, the important thing now is to not rest on our laurels and continue to drive forward with those principles of accountability and transparency. Therefore, moving from fundamental compliance to best practice is part of our journey plan for 2019.
Finally, for those working in the communication or marketing industries, the ePrivacy Regulation looms on the horizon. We know that the UK is updating the current UK legislation on 29 March to formally take the GDPR definition of consent into account. However, will the Regulation itself actually pass through EU Parliament and become law during 2019? What will the requirements for cookies and tracking look like if it does? And, more importantly, how will this affect UK organisations following our departure from the EU? One thing is certain, another interesting year ahead for DPOs.
For more information on Claire Robson and Great Ormond Street Hospital, please visit:
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.