Are you a DPO in all but name?

This post from Tim Lennard FCA. Tim qualified with PwC London.  He now consults to organisations seeking to manage data privacy compliance.

Finance Professionals and data privacy

Seeing the recent the GDPR blog post from Richard Anning reminded me of concerns I have heard from Finance professionals whose responsibility has been extended to include data privacy.

Organisations that process personal data may not be legally required to appoint a Data Protection Officer (DPO) but are not free from the requirement to comply with the legislation.  Even those that that are suppliers to a data controller and process data under their instruction, are required by GDPR to sign a processor contract that exposes them to redress. Recognising this exposure, organisations have put someone ‘on point’ to own data privacy, and where there is no internal legal team the Finance Director/Controller who manages other aspects of compliance is a good candidate.  You may have been ‘volunteered’ into the role of ‘DPO in all but name’ and if so;

  1. Do you have the bandwidth to keep abreast of emerging data privacy legislation?
  2. Have you been able to ensure appropriate training and process change has cascaded through the organisation? (GDPR article 39)
  3. Is there an appropriate and ongoing monitoring regime to ensure that your organisation remains operationally compliant? (GDPR article 39)
  4. Have your objectives and the way you are measured been modified to reflect additional data privacy responsibilities?
  5. Do you have the tools or other resources to provide visibility to personal data processing and related issues within the organisation?

If you are a ‘DPO in all but name’, but your answer is ‘no’ to any one of the above you would be forgiven for wondering whether compliance risk is effectively managed.  A retained service from an objective privacy professional can support you in your extended role and is also evidence, should you ever need it, of your company acting in good faith to ensure compliance. 

I’ll declare my interest, I am an FCA but my focus for some time has been providing support to organisations that have such a need and want to effectively manage data privacy risks.

How has your organisation adapted to the demands of GDPR?