The role of the Data Protection Officer (DPO): From Blocker to Builder

Data protection law is often viewed as a necessary evil, and a lot of ‘red tape’. But this doesn’t mean that data protection officers (DPOs) and other professionals in the field of data protection should be seen in the same light. Instead, Luke Beckley and Clare Paterson believe, as they presented at the Privacy Space event in November 2022, and are excited to be taking one step further at The Hive Live event for data professionals in September 2023, that it’s time to recognise the immense value that professionals in the data protection field can, and do, bring to a business, and go from blocker to builder:

(Don’t miss the free download at the end of the article.)

“We’ve seen first-hand the frustrations and fears of DPOs who feel they are fighting against the organisations they work for. Add to this the changing landscape of the legislation and the possibility this may lead to (more businesses!) seeing the DPO as unnecessary.

There is also a growing emphasis on ESG (Environment, Social and Governance) in most sectors though, and new initiatives in the name of ESG and EDI (Equality, Diversity and Inclusion) often involve the collection and use of data, which gives DPOs an opportunity to widen their remit and add value.

Why are DPOs seen as blockers?

Let’s be honest, data protection law, as it currently stands is not sexy. It’s seen as reams of complicated regulation talking about what you cannot do with data.

Data Protection doesn’t talk about revenue generation, it doesn’t talk about ‘tangible’ (i.e. monetary) benefit to the organisation and it doesn’t talk about driving the strategic goals of the organisation.

We often hear colleagues saying things like “I work in Finance, so Data Protection doesn’t affect my job.”

But as we know, Data Protection relates to everyone and will have at least some impact on every department, even Finance. For example, the headcount budgeting process uses names and profiling based on cost, benefits, and may include personal opinions. Payments made and received include names and sometimes personal bank details.

In organisations where there’s a Data Protection team and a Data Analytics Team, budgets are more likely to be cut in our area (Data Protection) under the current thinking and interpretation than in the Data Analytics teams.

That’s because Data Analytics is seen as supporting and driving the business, and Data Protection is seen as stifling the business, introducing ‘red tape’, and telling them what they can’t do.

These misconceptions about data protection lead to the DPOs themselves being seen as blockers to the business. So people will avoid us!

Colleagues either hide from us intentionally, or they just don’t realise that they should include us in their work, and go straight past us on their merry way.

We often find ourselves facing a business that doesn’t value data protection, and we want desperately to illuminate the importance and value of data protection. But coming from that position, we risk reinforcing the misconception that data protection and DPOs are all about blocking the business.

Because it can be really difficult to defend a complex set of laws, especially when the name itself doesn’t do it justice: “Data Protection” sounds like it’s only about security. Non-DP folk can be forgiven for thinking that as long as they keep data secure (and the IT team is on top of that, of course) there’s nothing else to worry about.

So, our colleagues may find themselves, understandably, thinking “why does the DPO keep banging on about Purpose Limitation and Retention Periods…?”

Is it worth continuing to fight this fight, then? To keep explaining over and over that Data Protection is about so much more than security, and that it effects all areas of the business?

We believe firmly that it is worth continuing to fight the fight, but it’s not easy. So perhaps we need to change our approach. We believe we need to work hard on changing the reputation of DPOs from blocker to builder.

How do DPOs go from blocker to builder?

Data, including Personal Data, is one of the most valuable assets a business has. What the business wants is to understand “what’s in it for us?” They want to know how they can use the data they’re collecting, to drive revenue, profitability and enhanced market presence.

On the other hand, Data Protection professionals are trying to achieve is the fair and lawful use of data, and the protection of the rights of the individual.

As soon as we talk about ‘Personal data’ or ‘Data Protection’ then our standing in the business, in our experience, is compromised and we are operating in a different and significantly less influential capacity. We’ve alienated ourselves from the business objectives and aims, and presented a view that has only one outcome: We’re seen as the blocker to business output, growth and financial gain.

DPO knowledge

It goes without saying, that DPOs work hard to keep up to date with the prevailing and applicable legislation. This is the key element we are employed for.

It’s assumed we know what we need to do under the various legislative acts to comply. And we do know these things, even if we can’t quote the laws verbatim.

(Clare: “That’s me! I cannot – and do not – quote the law off the top of my head.”)

However, there’s something else you know as a Data Protection Officer…the business, and its people.

DPOs have a wealth of knowledge and insight about the organisations they work with.

And while it can feel like we’re walking on a tightrope between the DP law and the business, remember that from up here, we have a unique, global, view.

We can see the whole picture – both the legal issues and the business issues.

So how do we put that view to best use? To bring the law and the business together?

DPO skills

Think about all the times you are called upon to put your knowledge of DP law to use in your role. Do you just quote the law, and leave it at that? A good DPO certainly doesn’t!

Here is just a selection of the skills we DPOs employ to put our legal knowledge to use:

Business Analysis: We are skilled interviewers, and we understand complex ideas and processes. In our roles, we need to build rapport with a myriad of people throughout all levels of the organisations, so we can map out those processes and data flows.

With our holistic view of the organisation, and how it is actually operating, from these interviews and maps, we can help to relate those processes to the organisations’ strategic objectives.

Project Management and Change Management: DPOs’ ability to build relationships with stakeholders is crucial in negotiating the inclusion of Data Protection into the business processes. Yes, we know it should be a given, but we know we’re all negotiating change!

Before we can do that, we work out how to relate the specific element of the prevailing data protection law to the business processes, we have to understand the business drivers and understand how those processes interact.

Audit Management: From our work we form audit schedules and procedures that we need to carefully introduce to the business. The results of these audits then highlight additional requirements for maintaining and updating data protection throughout the organisation.

DPOs also have training and consultancy skills, can analyse data and understand its significance, are tenacious and passionate about their work, and after all that can stay calm in the face of stress!

Data Protection professionals are using these skills almost subconsciously while applying their DP legal knowledge.

So how do we use those skills, with that knowledge, to become seen as a builder, not a blocker?

Turn it around!

Turn the focus of your work away from your knowledge of the law, and onto the skills you have, that you use when implementing legal requirements.

You may have been employed for your knowledge of the law, but look at all the skills you need to utilise even before you can get to the point of implementing the law.

However, so many DPOs take for granted that we have those skills. Every time we’re asked “just a quick question”, we undertake interviews, define processes, and conduct risk assessments, often before we can even get to the data protection part!

Critically though, we’re only seen to be shouting about the data protection part.

We haven’t revealed nor emphasised the interviewing, business analysis, process mapping, risk management, data analysis skills (and so much more); we’ve done that almost in secret, then we’ve answered the legal question.

So we’re calling on all Data Protection professionals:

Reveal your inner superhero skills and powers!

Let’s shout about those skills first and foremost.

Or if we’re feeling really manipulative… sorry, influential(!)…then we can reveal and shout about only those skills, and stay quiet on the data protection part.

If we shout about our business analysis, process mapping, and risk assessment skills, they will be seen more clearly as defining our purpose and benefit to the business.

Which doesn’t mean we’re not still “doing” data protection, but we will be able to drive “data protection by stealth.”

“Data protection by stealth” means having business processes that are data protection compliant, almost without anyone realising, because the compliance is so “baked-in” that it is an inextricable part of the process, not an add-on that feels clunky.

This is the goal we have for our own organisations and clients, very much in the same way as safe working practices have become the norm in construction.

Our tips for baking-in data protection to all processes in your organisation include:

  1. The first rule of “Data Protection by stealth” club, is – Don’t talk about “Data Protection”! Instead, speak the language of the business.
  2. We don’t usually need to convince the business that we know our stuff (DP law), but we do need to demonstrate that we understand their stuff, and how we can help them achieve their defined outcomes. For example, focus on customer experience with customer teams, focus on finances with finance teams, and focus on colleague experience with HR teams and managers.
  3. Don’t lose sight of that global view though. With our global view we can help join the dots across the business; zoom into each area of the business, then zoom back out, then into another area, back out again, and so on, and we can see where connections can and should be built between the business areas.

If this sounds like a lot of extra work on top of an already busy workload, we completely sympathise, so here are a few ideas about how to make this work for you.

  1. Make time: there are many ways to increase your available time, but it takes discipline. For example, instead of answering all the questions you get asked immediately, can you recommend colleagues read the Data Protection Policy or guidance first (that you likely spent weeks writing!), with their project in mind, so you aren’t reviewing it from scratch.
  2. Manage your time: focus on building your time management skills, and having firm boundaries.
  3. Use your community: Find like-minded people, like the people we meet at Privacy Space and other events, and the people in The Hive (free online group run by CP Data Protection), to share the burden where you can.
  4. Focus on your skills and gaps: While carrying out your DP work, make note of the skills you’re using, such as business analysis, process mapping, risk assessment skills, and time management, to remind yourself of your skills. And if there are any gaps, that shows you where to focus.

Next steps

“The way to get started is to quit talking and begin doing.”

~ Walt Disney

We can’t promise that every organisation and business is going to appreciate your skills, and your ability to be a builder, not a blocker. But that doesn’t mean it isn’t worth revealing your inner superhero to show your colleagues (or maybe even a new employer…) the immense value you can, and do, bring to the business.

Your mission, if you choose to accept it, is to stop talking and begin doing…and we are here to be your accountability buddies and cheer you on.

FREE DOWNLOAD: We’ve created a free ‘prompt sheet’ to help you keep track of your journey from Blocker to Builder, which you can sign-up to receive by clicking here.

Contact us in the coming days, weeks, and months, to let us know how you are getting on with going from Blocker to Builder.

Find us on LinkedIn, we can’t wait to hear how you’re getting on, or how we can help you: Luke Beckley and Clare Paterson.

Join The Hive – free group on LinkedIn and meeting monthly online.

And come join us at The Hive Live 2023 where the theme of the conference (our first conference!) is Blocker to Builder.

The event is for everyone working with data (i.e. everyone!) not just Data Protection professionals. As the Housing Ombudsman stated in the Spotlight on Knowledge and Information Management report ‘senior leaders [need to be] clear about the importance of Knowledge and Information Management (KIM), and their standards and expectations.’

The Hive Live aims to bring Data Protection professionals and experts in other areas of businesses together, instead of working in silos, in a day of sharing knowledge, listening, learning, planning, and meeting friends old & new, in the interactive & engaging sessions.

There is never enough time for networking when we meet with like-minded and similarly enthusiastic professionals in the worlds of housing and data, so this event is largely interactive, or you can of course choose to observe instead, if that’s more your style; there is no pressure to do anything you’re not comfortable with.

Find all the details here: The Hive Live; Blocker to Builder

If you’d like to be first to hear about the latest articles from CP Data Protection, and news about the Hive Live, you can sign up to the mailing list by clicking here.

If we’re not already connected, please do find me and follow me in all the usual places using the links below.

LinkedIn

YouTube

Spotify – What’s the Difference podcast

Read more about “baking-in” data protection.”

Latest Blog Posts:

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *