Useful lessons from our round table discussion with DPOs

Together with one of our partners, Approach Belgium, and just before the Corona outbreak, we brought a number of DPO’s around the table for a conversation about their challenges and experiences.

They work in very diverse sectors and in medium to large organizations.

Meanwhile, the chef of Hof Ter Musschen spoiled the attendees with a tasty lunch menu. The questions and topics that were prepared were not necessary. It became a smooth and open conversation where everyone could be sufficiently addressed. In what follows you can read where the challenges lie for these people and what tips they gave each other.

One is not alone

Although almost all of the attendees are the only person in the organization solely concerned with data privacy, they ask a lot of questions about how to get the rest of the organization involved and keep them involved. It won’t work without them.

There are the business owners, or call them ambassadors or data privacy coordinators, who have the knowledge about the operational processes and especially, the security around this. How at these people keep data privacy on the agena?

There is the interaction with the CISO (Chief Information Security Officer) and how is the relationship with this? The CISO is responsible for the security of the information, the DPO for that of the personal information. Is the DPO role then regarded as a second line of defence? In that case, more clarity is needed on the cooperation between CISO and DPO. Now both individuals sometimes keep looking at each other or refer to each other.

And then of course there are the third parties. These also have a responsibility to take on. It is not always easy, for example, to get processing agreements formalized and certainly not to check whether the additional measures are being respected.

It is emphasized that in the relationship with all these actors, the DPO has an advisory role that does not take decisions. It remains very important to make the different actors aware of their accountability.

Avoiding fines

Of course, the topic comes up. There is great consensus that if one can demonstrate that there is sufficient documentation (uniform structure, centrally managed and up to date) and that questions from those involved and the authority are responded to correctly and within the requested period, the risk of a fine remains fairly limited.

Acting more on based on risks

In keeping data privacy on the radar of business owners, experience shows that they respond better to demonstrating the impact on their business and its risks than waving the risk of fines. The possibility that the processing of the data might be halted clearly has more effect. If one continues to fall on deaf ears, the audit committee is seen as an effective forum for getting certain things through.

The question is asked whether the agreements with third parties and the compliance with the corresponding measures should also be more risk-based. In that case the critical importance of the implementation of the measures should be obtained from the business owners and the CISO. Only then can a risk be linked to it and assigned the right priority. And this is where the shoe pinches sometimes.

Useful tips for each other

Finally, there were also some tips exchanged among themselves. We share a few with you.

  • Ensure that someone from management remains involved and keep the lines of communication short
  • Remain pragmatic when working out processes – they must remain workable for employees
  • Take every opportunity to explain things e.g. don’t just solve an incident but also see it as an opportunity to explain things and make sense of the impact
  • Take into account the fact that many incidents originate from human errors
  • A very concrete tip about the guidelines in the area of cookies: you can find useful tips about Google Analytics settings on the website of the GBA.

We ended with a delicious dessert and coffee/tea and parted ways with the request from a number of DPOs to do this again in six months’ time.

That is certainly something to consider. Would you like to receive an invitation in that case? If so, please let us know at . Of course we will only use your email address for these purposes.