PrivIQ - GDPR compliance software essential to the DPO’s Toolkit
The European Data Protection Board (EDPB) recently released a report containing its findings and recommendations of an EU-wide audit/investigation called ‘The Designation and Position of Data Protection Officers’ (DPOs). The exercise was a coordinated investigation by the 25 EU member states’ supervisory authorities (an information regulator, for each member state) into the role of DPOs and the challenges they face in ensuring GDPR compliance. With the many challenges that DPOs face, the last thing they also need is complex GDPR compliance software to manage their privacy program.
The report provides a list of recommendations that organizations, DPOs and/or SAs may consider when addressing the challenges identified, without prejudice to the EU’s General Data Protection Regulation (GDPR) and the powers of the SAs.
The EU’s GDPR provides comprehensively for the designation, position, and tasks of the DPO. Some global personal data protection laws adopt a similar approach, not all of them providing such detail as the GDPR, while others contain no reference to this position.
(See GDPR Articles 37, 38, and 39)
Universally applicable
Generally, the position of DPO/Information Officer/Privacy Manager does not always receive the attention, respect, support, resourcing it deserves / requires / commands.
Notwithstanding the absence of any reference to DPOs in relevant regulation, it should make sense for any organization implementing a personal data protection program to designate a suitably qualified individual to guide the organization through its implementation and maintenance of such a program. Regardless of its title – DPO, Information Officer, Privacy Manager, Data Protection Manager – and the like.
Here are some of the investigation’s findings and associated recommendations. There could be further similar investigations in future.
Challenge |
Recommendation |
Absence of designation of a DPO, even if mandatory |
More initiatives by SAs could raise awareness among organizations regarding their obligation to designate a DPO, including as to whether a DPO is required. |
Insufficient resources allocated to DPOs |
More initiatives and actions by SAs could incentivise organizations’ management to dedicate more resources to the DPO’s office. At all times, organizations must be performing an appropriate, case-by-case analysis of what resources a DPO need, for example, GDPR compliance software. |
Insufficient expert knowledge and training of DPOs |
SAs and/or the EDPB could provide further guidance and training sessions for DPOs. Organizations should ensure that DPOs are given sufficient opportunities, time, and resources to refresh their knowledge and learn about the latest developments. |
DPOs not being given key roles as required under the GDPR |
More initiatives and enforcement actions by SAs could incentivise organizations to maintain a proper separation between the organization’s obligations, and the DPO’s own obligations and duties as set out in the GDPR. Organizations must promote the role of the DPO internally. |
Lack of systematic involvement of the DPO within organizations |
All stakeholders should promote the role of the DPO within organizations to ensure that the DPO is seen as necessary and effective support of the organization in accordance with the GDPR. Organizations should ensure that they are actively reviewing and (where necessary) improving the DPO's involvement within the organization. |
Conflict of interests due to conflicting roles or tasks |
Despite the courts clarifying ‘conflicts of interest’, the investigation showed risks of possible conflict of interest. Therefore, the existing ‘Guidelines to the DPO’ should be developed further. Further initiatives and actions by the SAs could verify that organizations have appropriate safeguards in their procedures to ensure that the DPO is not carrying out tasks that lead to conflicts of interest. |
Lack of independence due to instructions received by DPOs or contractual or budgetary setup |
More awareness-raising activities, information, and enforcement actions on the independence of the DPO could be envisaged (including on the prohibition on penalising and dismissing DPOs for performing their DPOs’ tasks), either by SAs or internally by organizations themselves. Organizations and DPOs could formalise the DPO’s duties and conditions for performing the DPO’s duties in an ‘engagement letter’. DPOs should be able to collect evidence in the event of interferences with their independence. |
Lack of reporting by the DPO to the organizations’ highest management level |
SAs could encourage the adoption of industry standards, internal data protection policies and best practices to better define the conditions, frequency, content, and effectives of the direct reporting. |
PrivIQ’s GDPR compliance software lights up the DPO’s toolkit.
As mentioned before, the last thing a DPO (Privacy Manager, Information Officer etc.) needs is to add to these challenges, those of using a complex solution to manage the privacy program. Implementing and managing the program requires a top-down, bottom-up approach. With collaboration being key across the entire landscape. Stakeholders quickly lose interest if the solution is complex. People leave the organization – with those skills – and join the organization, needing to be trained.
It is proven! – PrivIQ’s GDPR compliance software is unmatched in its ease of use. Simple workflows, providing effective, relevant, and auditable output. Making training a breeze.
Collaboration has never been simpler. Allocate PrivIQ access to stakeholders – across all features, in any permutation. Assign tasks and set review cycles to manage operational risk. Or – simply customize your own checklists and tasks to accommodate any risk scenario. Socialize default policies and documents or create your own in the Document Library.
Data mapping is the engine that drives everything. Throughout the process, the DPO assists the organization in identifying and managing data mapping risks. The completed data mapping then seamlessly integrating with the Record of Processing Activity report, the Privacy Notices, Data Subject Access Requests, and Processor/Operator management.
Provide guidance and support with Data Protection Impact Assessments and Incident Responses.
Using PrivIQ’s Real-Time Audit, the DPO monitors the compliance journey’s progress – managing remediation on the fly, and producing risk reports crucial to senior management.
Want to learn more about our GDPR compliance software solution?