The role of Chief Data Privacy Officer (also called Data Protection Officer, CPO, or DPO) is a new but critical one for organizations who are focused on data protection and privacy. Multinational organizations may have more than one DPO who work with regional data protection authorities. As new privacy regulations appear in the US and other countries, organizations based outside of the EU have embraced this new role as well.
Appointing a DPO is a way that companies may use to learn about themselves. Without a DPO asking the right questions, companies may not be aware, not only of the breaches they are committing, but also of the risks they are taking. Having a DPO in place is also a way to shed some light over the large amount of unstructured data every company has. To create a truly effective privacy program that reduces privacy risk and increases compliance, DPOs need a number of tools to help them measure and report on their job efficacy and progress.
Privacy Benchmarks – DPOs should begin with a privacy benchmark. Corporate Benchmarks against other organizations are helpful to understand where the company stands with respect to peers. Internal or Team Benchmarks can establish a baseline of risk levels and then be used to measure progress toward a compliance goal across internal teams, business units, or functions. This can allow internal teams to see if they are doing the job they want to be doing, and where there is improvement.
Regular Risk Assessments – Not only should DPOs establish a regular pattern of internal risk assessment to measure progress, if they work with third party vendors, it’s essential to obtain regular updates from them to prevent the results from being out of date. Having an easy to use online assessment tool that can be automated to send out internal and third-party assessments and reminders on a regular basis will save time and reduce corporate and third-party vendor risk.
Tools that Facilitate Automation – Automation removes inefficient, time-consuming privacy management activities such as spreadsheets, emails, and phone calls. Automated workflows, alerts, push email notifications, and dashboard reporting can be ways to save time and effort in follow up activities.
Stay Current with Regular Monitoring & Reporting – A key activity of the DPO is to create a register of processing operation. However, data is always on the move. DPOs should obtain regular push notifications of changes reported in processing activities. Being able to track changes in processing activities can indicate that the employees are well informed and trained in the matter of data privacy.
Improve Response Time to Consumer Requests with Integrated Internal Systems – One of the most challenging aspects of the DPO role is the management of data subject requests.
On average, 36% of companies require three weeks or more to respond to consumer requests, 30% take two weeks or less. The kicker is the average cost per request. More than one-quarter of companies report an average cost of $1,000 to $2,000 per request. (Source: Gartner & CIO Dive)
Integrated systems that can manage the entire process from submission of request to verification to fulfillment are the most effective way to manage the flow of requests in a timely, auditable, compliant manner.
Measure Effectiveness through Web Based Training – As discussed above, privacy isn’t managed by just one person or in one function. Privacy compliance should be understood and supported across the organization. By leveraging online training, DPOs can ensure that employees understand the importance of how they handle data. Regular training can provide an additional metric of DPO effectiveness as the organizational awareness around privacy increases over time. Including a data protection training as part of the onboarding of new employees could also be an effective measure to develop the right culture.
Strong Privacy Compliance Takes Time and Effort
Any company can pass an audit one time. To create a culture of privacy and a sustainable privacy program requires ongoing monitoring, awareness and optimization of the privacy program.
To meet this need, DPO’s must seek out tools that will help them not only with reporting to the applicable data authorities, executive management, and corporate boards, but also to be able to assess and monitor risk along with measuring their efficacy and progress over time in improving the risk position and level of compliance across multiple functions of the company.