Navigating privacy compliance can be hard. In this blog, DM Legal (data protection and privacy specialists) shares some war stories to illustrate how a DPO can protect and add value.
But first, let’s go back to basics and answer this simple question…
What is a Data Protection Officer, (DPO) and when do you need one?
A Data Protection Officer (DPO) is responsible for ensuring compliance with data protection regulations, offering guidance on obligations, and being your liaison with data subjects, regulators, etc.
You need a DPO when you process personal data on a large scale, if you conduct systematic monitoring of individuals, and/or if you handle sensitive data (as mandated by data protection laws, such as the GDPR).
Even if you don’t need one, appointing a DPO is often advisable, regardless of legal requirements, to help with your company’s data protection compliance and to mitigate risks associated with privacy breaches.
1. Is consent needed?
6pm on 24th May 2018, the day before the EU GDPR came into force. We’d been working with a large multinational for months to get them GDPR ready before the deadline and were their appointed DPO. They were ready, everything was fine… Then a phone call on speaker from the board:
“We see everyone is sending emails to ask for consent to marketing. We have an email ready and are about to hit send but want to double check with you.”
Frustrating as this was, because it had been addressed several times already, we confirmed it was not needed or advisable and why. Because if they did they were then prevented by law from sending marketing to anyone who had not opted in, which would result in a large percentage of the customer database becoming unusable overnight.
- Lessons learnt for the board: Trust in the DPO. Upholding the DPO’s guidance demonstrates a commitment to ethical business practices, safeguarding against costly errors and maintaining integrity in data protection efforts.
- Lessons learnt for the DPO: Keep your cool, explain your point of view, and do not cave in to panic.
2. Emails to the wrong person
At some point someone is going to send an email to the wrong person. It is a common error. And in general, recipients tend to be normal and either flag that it has happened or, at least, delete it when they are asked to.
But there are exceptions. For example, a company we worked with, where a senior director and a union representative shared the same name and HR kept sending the information about the former to the latter!
In another case, an invoice was sent to the wrong person and contained sensitive information about the correct recipient. The wrong recipient decided it was an opportunity to try and get some money out of the business. The board were rattled: Do they pay? Do they tell the regulator? Do they tell the affected individual? Will this be leaked to their competitors and damage the business?
In this case, careful management of the situation and diplomatic conversations between the DPO and the wrong recipient, the intended recipient, and the regulator were necessary. A review of security measures was also needed to ensure this wouldn’t happen again.
- Lessons learnt for the board: It only takes one incident to be in a very high-risk situation, so design security measures to reduce the risk. Invest in good security and training. (Maybe even switch off email autofill.)
- Lessons learnt for the DPO: Take measures that are proportionate and legitimate. Make sure you can justify them. And don’t bargain with someone acting in bad faith.
3. Data Subject Access Requests (DSAR) from ex-employees wanting to cause problems.
Exit negotiations with a difficult employee are coming to an end. Then you get the dreaded DSAR. They want all information you hold about them, not just personnel records, and they worked for you for over 10 years. They’ve asked for emails, messages, telephone, slack messages, etc.
A search using the individual’s first name, surname and nickname produced over 600,000 hits, before even looking at Slack. Even filtering the results gave thousands of documents and slack messages that would need to be manually processed. And the individual’s line manager was known for being ‘robust’ in his communications about staff. But in the end the DPO managed to negotiate a more limited search and response.
- Lessons learnt for the board: Involve your DPO early so they can diffuse the situation, or at least minimise the impact.
- Lessons for the DPO: Train line managers regularly to be cautious about what they write and say about staff. And make sure the business has a document / message retention policy, and sticks to it.
If you need help or want to discuss any of your data protection requirements, including whether you should have a DPO, please get in touch.