Every Pinocchio needs a Data Protection Officer

Business Consultant
Getting your head round the GDPR (General Data Protection Regulation) is hard.
Every Pinnochio needs a DPOGetting your head round the GDPR (General Data Protection Regulation) is hard. Four years of wrangling resulted in regulation 2016/679, replete with 99 articles and 100+ recitals laced with inspiring yet non-specific terminology (e.g. “state of the art”) to stand us in good stead for the next 15-18 years. Although there have been many concerns expressed about the enforceability and specificity of the regulation, it is regarded as the gold standard and an enabler of innovation.
As the market conversation moves beyond compliance and the realisation dawns that this is a new era of personal data possibilities, just how do you translate legal positivity and uncertainty into the 1s and 0s of a digitising world in way that is consistent with your brand personality and your future customers’ expectations… and then explain it all in a transparent way?

Enter Jiminy Cricket – your Data Protection Officer (DPO).

One of the first pieces of official pan-European guidance to accompany the GDPR explains the role of a DPO. In refreshingly direct and granular detail, the Article 29 Working Party have clarified the independence and authority this role needs to have. It is like the regulator has devolved itself to be an independent conscience within every Pinocchio organisation – to train, advise, oversee and so help organisations become more ‘real’.
As organisations seek to befriend us and engage with us on a human level, we naturally are looking for consistency and certainty in our interactions, particularly as we become aware that we are revealing more and more about ourselves through our plethora of digital agents and the internet of things waking up around us.
Pinocchio, so long a collection of independent limbs needs to act as a single entity and like a moral one too. There is, of course, a risk that faced with a dwindling timeline to 25 May 2018 and a growing realisation of the enormity of the GDPR ask, organisations look to outsource their decision-making to the DPO. But this cannot be. Whilst Jiminy willingly gives advice and sticks with Pinocchio through thick and thin, he doesn’t pull strings. The organisation must make its own decisions.

We typically find three conversations need bringing in sync to make GDPR sense:

  • The corporate one: “Do we wait for final guidance on consent or take our positions now?”
  • The technical one: “Now we’ve moved to the cloud do we know where on earth our data is stored?”
  • The day-to-day business one: “I’ll do whatever to get the job done so I suppose I’m a threat too, aren’t I?”
Helping your people see that we’re all in this together, that your brand risks being tarnished by association if something goes wrong in your ecosystem (regardless of who (individual or partner) is actually at fault) and that getting ready in time is still an achievable feat (we’ve got to try(!)) is quite a challenge. Catalysing the change is very much in the role of the DPO.
With organisations needing to take a risk-based approach and to explain in simple terms how people’s data flows through their estate – from source to deletion - DPOs are, not surprisingly, in short supply and if you have found the right one, they’ll still need adequately resourcing to help the organisation untangle itself, pick its privacy positions and orchestrate action to reflect those positions in daily reality. So much to do, so little time to get ready - and then the real race begins.
Nick Rhodes Business Consultant 23 August 2017