10 practical tips to ensure compliance for data protection officers 

The role of data protection officers (DPO) is one of the most demanding roles in the enterprise. There is more data in business than ever before and that data’s value in terms of customer insight has never been higher. 

But keeping that data secure and confidential is also a growing challenge. The increasing sophistication and professionalism of cyber criminals means that ransomware and data hacking is on the rise, while the forthcoming General Data Protection Regulation (GDPR) has mandated that all organisations employ a DPO.  

Each DPO will have responsibility for overseeing data protection strategy and implementation to ensure compliance, so will need the skills, experience and knowledge to do this. The role is strategic, demanding and hugely important for GDPR.

There is no shortage of advice for how organisations should approach GDPR compliance. At OXIAL we have put together our own five steps to getting GDPR ready, based on our extensive experience helping organisations address compliance. Those steps are aimed at anyone involved with GDPR, but we felt it only right and proper to offer DPOs some specific and practical advice on how they can help ensure compliance. 

1. Execute your initial assessment program using preloaded models or import existing results 

The initial assessment (that should really be the start of any compliance project) needs to be robust and accurate, and ideally based on real data held by your organisation. Use pre-loaded models or if that’s not possible, then import existing results, as this will give you a much more accurate assessment as to what is required and what the DPO’s priorities should be. 

2. Assign and follow up on predefined measures and remediation actions 

While the DPO will take overall responsibility for many elements of GDPR, there is of course a broader team involved too. All the pre-defined measures and remediation actions should be assigned to an owner within the business, and follow ups made where required, ensuring that what needs to get, does get done. 

3. Produce one-click compliance reports whenever you need to 

It cannot be a complex process to access and produce compliance reports, when they could be required at a moment’s notice. Demonstrating compliance with GDPR is central to its objectives so DPOs must be able to produce reports quickly and easily, at a moment’s notice should a regulator require it. 

4. Identify and qualify PI data structures managed by applications, batch programs and data flows 

In a large or even mid-sized enterprise there could literally be hundreds of applications with PI data structures. With such a large and complex environment to manage and understand, the accurate identification and qualification of these is of paramount importance. 

5. Document business processes manipulating PI data structures, identify owners

We’ve written before about the importance of processes in compliance, and this cannot be stressed often enough. It’s processes that really impact how data is used, managed and accessed, and so documenting these processes is critical for identifying risk in GDPR, as is assigning ownership. 

6. Evaluate PI criticality levels and requested security means 

The next step for a DPO is to assess just how critical each PI data structure is – some are more vulnerable than others. When this is complete, then different and appropriate levels of security can be assigned to data across the organisation. 

7. Supervise security measures deployment with alerts on delays 

With data, it’s a question of ‘when’ not ‘if’ it will be hacked, so DPOs must be ready for such an eventuality. This entails knowing what data is protected at any given time, and being alerted to any delays with security. 

8. Maintain PI data structure registers by adding dedicated project steps, update procedures with dedicated legal statements 

PI usage is the main regulator target, so your organisation’s PI data structures must be maintained at all times. OXIAL’s methodology is based around the use of third-party experts that understand compliance and legal requirements, so procedures can be updated with the correct legal statements automatically, otherwise this is a manual task. 

9. Manage data subject’s claims; request and security incidents 

A key element of GDPR is the additional rights now held by data subjects. They now have the right to be forgotten, to data portability and to be informed of any data breaches, and also to edit or transfer their personal data. This must be managed by the DPO and processes put in place that make this a quick and painless task. 

10. Report to management and regulator 

The final tip for DPOs is to be able to report all on all the hard work carried out to attain GDPR compliance. Whether this is for a regulator or senior management (GDPR should be a board-level focus), reporting must be accurate, concise and not be a drain on time and resource. 

All ten tips are achievable for a DPO, but even more so when equipped with the right tools. The OXIAL GDPR EXPRESS Solution was designed to help DPOs manage GDPR and can take the strain in all of the areas outlined above – for example, it provides one single solution to coordinate all actions and components involved in PI management. 

For more information on GDPR EXPRESS please get in touch with us here.