The Virtual Data Protection Officer

N.B. This article is a transcript of TheGDPRGuy Podcast Episode 5 – The Virtual Data Protection Officer from July 2017.

In this episode I’m revisiting the Data Protection Officer role, focusing solely on the ins and outs of a VIRTUAL DPO, or DPO “as a service”, as some people are calling it.

In episode 2 of this podcast I went into great detail as to why you might need a DPO and what they’re going to do for you. And at the end of the episode I briefly mentioned that you could use an outside person to help out in this capacity. And since then I’ve received a million questions about how it all works, so in the next few minutes I’ll give you my perspective as someone that does this on a daily basis.

So I’m a virtual DPO. I have a number of clients for whom I’m their DPO for a few days per month, and I absolutely love it. It’s one of the few roles where you get deep insight into an organisation’s inner workings and executive strategy, and crucially make a big impact. Most of my clients are small in terms of the number of employees, but with some being disproportionately large in terms of their revenue.

To recap, there’s three reasons why GDPR may require your organisation to have a DPO, if you’re a public authority or acting as one, if you’re processing large volumes of special categories of data (that’s sensitive data to you and me) and if you’re regularly and systematically monitoring data subjects on a large scale. Others may feel that a DPO is just a good thing to have, even if they don’t legally need one. A good example of this case is if you’re a Processor and your Controller clients all have DPOs and you spend lots of time in meetings with them discussing how you handle their data. A DPO can be your life saver here and show massive credibility.

So generally it’s large companies that will need a DPO but there will also be a lot of smaller organisations that will too. Companies involved in large scale email marketing, analytics or in healthcare will most likely require a DPO.

But whilst you need to have a DPO nominated, the activities of the role will depend massively on the size, complexity and breadth of each organisation. Some will need teams of people working for a DPO, others will need a DPO for only a few days per month. And this where the value of the Virtual DPO comes into play.

If you think you’ll be having a DPO for GDPR but don’t want to have a full time employee on this, then virtual DPO’s like me are the answer.

Different companies provide the service in different ways, but here’s my approach with my clients and it’s a model that is serving them well.

When hiring a virtual DPO, costs will vary, but they’re usually all based on a day rate for the number of days per month expected to be working with you. The rest of the month they’re effectively on-call should the client need them. Cost matters, but I’d rank it further down the list of priorities than other factors.

In my view the most important thing to look for is whether the virtual DPO GETS your business. Do they truly understand what your organisation is all about, how you work and whether they would add value in your culture. I’m adamant that a DPO should be business minded first and data protection focused second. That might sound like blasphemy to many Data Protection purists, and frankly I don’t care. If the DPO is to have a seat on the exec table, they need to be part of the team and helping sail the ship in the right direction. If you’re a DPO and don’t like the direction of the organisation, for instance you don’t agree with their ethics or business model, then get off the ship.

Being a DPO is about helping the organisation and its data subjects be in control and prosper with data. For that reason, a DPO can’t be too technical minded. And I don’t mean that in the IT sense of the word. I mean they can’t be too focused on technicalities, which a lawyer or an IT person might do. They need to understand the technicalities but translate them into a way that helps everyone. So the DPO needs to have a REAL business head on their shoulders.

Of course, any DPO needs to have all the right skills and data protection experience for the role, but REAL TIME experience is vital. And by this I mean they HAVE to be actively working on multiple streams of GDPR right now, for instance with multiple clients in your sector and also in others. This way you’re benefiting from the experiences, failures, successes and lessons learned of everyone else trying to get ready for GDPR. I can’t stress how vital this is. One of the key benefits of a virtual DPO is their real time experience of multiple perspectives and strategies for GDPR Data Protection so make sure that any virtual DPOs you speak to are already busy with other clients. You want to slot in alongside their other clients and gain from all the wider experiences.

A common question I get asked is when to bring in the DPO. Is it as soon as possible or should I wait until May 2018? I’d argue the sooner the better. Start making the DPO function part of your every day operations and that will help massively as you get everything straight BEFORE May 2018.

Interestingly, the DPO role isn’t a requirement for many right now under existing law, and therefore if you implement one now, it doesn’t need to be in an adviser only capacity. This means that your virtual DPO can be both and adviser and a doer, for the moment, and then as you get closer to full GDPR readiness you can transition them to a true adviser/auditor only role as the GDPR requires. This is great if your virtual DPO has other skills that you can lean on now to get everything ready.

Day to day, your virtual DPO should be there if you need them and most likely will be spreading their time with you over the course of a week or month, working remotely, usually in phone calls and virtual meetings and document reviews. And you’ll probably want some scheduled onsite visits to suit you. The beauty of the virtual DPO is they fit around you, work how you want them to work and you only pay for the amount of assistance you need, when you need it. Every virtual DPO engagement I’m involved in has a baseline amount of time each month and then flexes up as pieces of work come in to deliver as the client demands.

If you’d like to discuss the Virtual DPO role with me, or see if my team or I can help your organisation with a virtual DPO then give me a shout. We have a very flexible way of working with clients and we’re laser focused on helping your organisation prosper through good data protection.

Images in this post have been kindly provided by:

unsplash-logoHunters Race

Carl Gottlieb

Carl Gottlieb is the privacy lead and Data Protection Officer for a select group of leading tech companies. Carl’s consultancy company Cognition provides a range of privacy and security services including virtual DPO and virtual CISO.