How does legal meet IT?
The magic of the DPO
Reading time: 7 min.
According to the GDPR section four, a Data Protection Officer (DPO) can, and in some cases shall, be appointed to carry out certain tasks. They are, amongst other things, to assist with Data Protection Impact Assessments (DPIAs), inform and advise regarding the regulation and they also carry the main responsibility to be the link between the Data Protection Authority (DPA) and the organization. To have someone responsible for these tasks means that companies save time (and thus money ;-). Some of the main advantages of appointing a DPO who’s responsible for GDPR are listed below:
- They skip the step of having to appoint a task force amongst different employees if the DPA decides to ask the organization questions.
- They ensure better communication about the regulation because employees will know who to ask questions about GDPR.
- They have the right person to advise on how to make a proper DPIA.
This is only mentioning a few benefits of their awesome work. Whether the company chooses to appoint an actual DPO or someone in a similar position, experience has shown us that appointing someone responsible for certain tasks always turns out to be beneficial. It’s not enough to have a legal entity of multiple people just sitting on the knowledge and no-one to be responsible. Appoint a DPO (or someone in a similar position) and watch the magic happen.
The others, who are also doing magic
Far away in the basement at the other end of the big organization sits another business unit who’s primary work also consists of doing magic. Or at least many people think so, because their work is so complex that very few people actually get it. You guessed it right. It’s IT.
Whether they do hide in the basement or if they’re suited up sitting on the top floor there’s often a lot of uncertainty as to what they actually do and thus it’s partially easier for a lot of people, to just think magic.
But what does IT actually do? This is a question you might find harder to answer than you expected. We know who to call when we can’t log in to our machine, or when some programs are acting up. We call the helpdesk, create a ticket and wait for them to show up.
This is the way most of us know IT, but it highly emphasizes only a small part of what they do. Namely their responsibility for the ‘functionality’ of IT. Classically there are two more; infrastructure and governance!
So, basically they do everything. This all sounds pretty good and maybe now you’re shaking your head in disbelief because you know that your IT department will not just whip their wand and work their magic. If you want something from IT take a number, get your ticket and get in line. IT are busy people and they’re expensive to employ, so unless you’re the CEO your best approach is to wait patiently for their guidance.
Why DPO’s should get on IT’s agenda
If you’re a DPO one of the likely instances you’ve encountered IT is when conducting an article 30 report and describing the technical and organizational security measures in article 32. It’s a great example of a situation where legal and IT are forced to communicate. Common obstacles here can be communication, time and priorities. It’s rarely as easy as a quick email to IT asking for a description of security measures. They might take some time to answer and then get back to you with a description of encryption. If this happens you must be ready to do some more waiting if you also want to get an understandable description of confidentiality, integrity, ability to restore, testing, evaluation and everything else that security measures entail when it comes to GDPR.
This can also be a big frustration for IT. Between them making sure that everything runs smoothly while helping out other employees with software problems and also implementing new systems, it might not be obvious to them for what reason someone working with personal data would be interested in knowing whether the accounting system is exposed to open networks and in which country the server of their payment system is placed.
Legal and IT might in fact be the most dissimilar kids in the classroom. So why is it that we force them to work together? And how do we make it happen?
Where’s the value?
is the question that’s easiest to anwer. Because we have to, if we want to be compliant.
But this should not be the only reason. If we dive a little deeper, a lot of great synergies between the two are revealed. IT has a lot of the answers that the DPO needs. In a digitalized world IT knows all of the risks from a system point of view for every system, because that’s part of what they’re trained to do. They also know how the risks can be mitigated by using certain controls and most importantly, they know the cost of these things.
This information is thus half of the knowledge that the DPO needs to determine the final risk which he needs to be aware of when conducting an article 32 report or advising on the DPIA. The other half is the input that the business provides as they will know the impact (impact x probability) on the given business unit if something is not working the way it’s supposed to, is leaked or in other ways compromised.
There are a lot of missed opportunities in the interactions that happen between the two. Often the information IT holds can answer multiple questions that legal has. If you’re working with GDPR there are a lot of similarities in the framework to the ISO standards 27001/2 and in the same way if you’re in pharma working with the GxP quality guidelines, IT’s knowledge about logging (traceability) or documentation (accountability) will be relevant in all of the mentioned fields as well. So, it’s definitely important for the DPO or legal to get on IT’s agenda, but the cherry on top is that IT also gets a piece of the cake which is the valuable information that the DPO is sitting on. In order to be compliant and for instance when conducting an article 30 report, the DPO needs to know what’s going on in the organization.
Whether you’re working in Excel spreadsheets (and if you are, we would love to show you an alternative) or if you’re using a system, you as a DPO know the importance of mapping the organisation. Finding out exactly what business units are using what data, where they send it to, where it comes from, where it’s saved, how it’s processed, deleted, secured and so on, is all essential information. But this is also something IT can use. The DPO has the chance to become the link between the organisation and IT. Because in between all of the work that happens in IT, it’s hard to keep up with the business units. Someone might have bought a new solution without involving IT. Some systems aren’t being used anymore and some are being used in a different way than first intended. All of this is information the DPO can, and should, give to IT. In this way IT can solve their tasks in a better way too, as functionality, infrastructure and governance might become easier to manage with the intel from the business units. They’ll know what’s going on in the fields.
If this new flow of information can be set up in a system where the parties can easily communicate in the same language there’s even more value to point out for the DPO. Because of the fact that IT also benefits from it, there’s a possibility that both entities can share the costs that follow in creating these possibilities and thus the DPO and IT will have a good case to bring to management. In the end, enforcing better communication between the DPO, IT and the business units will also help the organization as a whole in terms of awareness about GDPR and thus become more compliant.
If it’s possible to ensure that all of this information between the two can flow easily and understandably, a great synergy is created. We saw this and thus we built our campaign module and our risk- and control module to serve exactly this purpose. Others are aware as well and might have other solutions on how to best create this opportunity for the two. To some it might even be obvious that these synergies exist and they utilize them as well, and if so, all there’s left to ask is if it’s done in the most efficient way.