Do you work in an organisation with a Data Protection lead? Probably. Most organisations heard about the GDPR, at some point in 2017, and panic-recruited accordingly.
WE MUST RECRUIT SOMEONE FOR DATA PROTECTION, BRING US DATA PROTECTION PEOPLE AND THEN THEY WILL MAKE DATA PROTECTION HAPPEN.
Your lead might be a formally designated ‘GDPR DPO’ or they might head a small data protection function and be kept hidden somewhere in a basement.
There is one very, very important thing you need to know about your data protection lead, regardless of their job title. They are not Q.
They are not omnipotent. They are not all-seeing. They are (most likely) not experts on:
- all laws relevant to your business and the application of those laws
- Management of an IT department
- Management of a Human Resources department
- Project Management
- Risk management
- Management of a Procurement department
- Training and communications
- Managing complaints from members of the public
- All of your key business functions
- Leading strategically at board level
If you have a Data Protection lead who is an expert on all of these areas: congratulations? I think? You should appreciate them. They sound like they might be qualified to be your CEO.
On any given day, your Data Protection lead is going to get questions relating to any and all of these things. Could one person actually answer questions about and make the right changes in any and all of those things? Probably not. They are not actually Q. They may be an expert in some of these, but not likely all. They may be an experienced generalist with a good overview of how things should (but may not actually) work in all these areas.
But they don’t, likely can’t, and probably shouldn’t directly manage all of these areas. If they do – they are your Chief Exec.
So how does your organisation support your Data Protection function to address questions, issues, and risks associated with these areas?
Do you have a governance structure that actively includes these areas and which makes sure risks are being documented and addressed?
Does your Data Protection lead have the mandate to raise risks at the highest level? Are these risks considered and acted on? Do you make clear decisions about when you are going to tolerate a risk and when you are going to mitigate it?
If a decision is made to mitigate a risk, who is responsible for making a particular team carry out that change? Is this ‘a data protection thing’ or is it decided and communicated at a senior level to all the relevant managers?
Do your managers and leads in each business area have a solid grasp of the GDPR and of company policies? Are they championing privacy and supporting their own staff to get things right? Could they do with additional training?
We all know “GDPR D-Day” has passed. But we also know that most organisations are not confidently settled into the brave new world of Data Protection being taken seriously, in a consistent, ongoing way.
Don’t lose all the good project work of the last two years. Or year. Or nine months.
Work with your Data Protection lead on a maintenance and assurance plan that doesn’t involve them being mistaken for Q.
PS: They aren’t Q from James Bond either.
PPS: Don’t actually recruit Q from Star Trek. Troublesome employee. Would probably cause a data breach.
Privacy Problems 