If you’re coming to the role of data protection advisor (DPA) or even Data Protection Officer (DPO) for the first time you’re going to need to know the legal and regulatory landscape to do the job but there are important lessons that you should learn as soon as possible if you’re going to make a career out of this diverse and hugely rewarding position.
The term “data protection” is, in itself, a bit of a misnomer when describing what the in-house advisor does on a daily basis. Perhaps when the Data Protection Directive was adopted in 1995, it was an appropriate designation for the advisor who was responsible for personal information. After all, the Directive was intended to preserve the fundamental privacy rights of citizens across Europe (no mean feat!). The problem today is that “Protection” implies restriction and in today’s data driven world, it rather unsurprisingly leads to the misconception by some stakeholders that professionals tasked with ensuring privacy compliance are more likely to hamper innovation and development, than aid it.
As practitioners we must continuously balance the rights of the individual against the objectives of the organisation, taking the commercial view into consideration at all times. It will often seem that there is a fundamental divergence between what your organisation wants to do and what the law will allow but you will learn through experience that the rules are for the most part common sense and a practical “can do” approach is the key to finding solutions to most compliance issues. The trick is to understand what the business wants to achieve. Once you know that, you should be able to offer alternatives, subtle changes in approach (if there is a compliance issue) that meet both commercial objectives and compliance obligations. Saying “no” should be a last resort, where all options have been explored and exhausted and the compliance issue remains.
The DPO and DPA’s role is truly unique in that it will touch every function of an organisation at one point or another. They have to have a working knowledge of all systems and processes, be familiar with the objectives of every function within the organisation and identify their competing goals. They will need to see every angle of the scenario they are presented, shaping their advice so the organisation can flourish in a legal landscape that is increasingly onerous; protecting it where necessary, pushing it forward in terms of best practice and supporting it in all its endeavours.
Michael Bond, January 2015
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.