Checklist for DPOs starting at a new company

Jun 4, 2020 12:00:00 AM | DPO Checklist for DPOs starting at a new company

Starting at a new organisation as a Data Protection Officer is very exciting, but can also feel a little overwhelming: Where to start? What to do first? Who to talk to? How to get up to speed as fast as possible? To help ease the transition, we have created a checklist for the first couple of months that DPOs may find useful when starting out at their new company. 
Checklist_DPOs_Starting_New_CompanyWhile the role of the DPO is oftentimes defined by one’s independence, GDPR compliance is never a one person effort. Being a DPO of an organisation requires extensive knowledge and awareness of an organisation’s general practices in order to make the right decisions, and execute and oversee tasks to ensure data privacy compliance.

Get to know your key stakeholders
Before anything else, it’s crucial to understand who the key stakeholders are within your new organisation and what their roles are in regard to the company’s data management. A new DPO should be encouraged to meet the key stakeholders, get to know them, and have a conversation on their tasks, why they are doing things a certain way, and note down for yourself how it might be related to your tasks of data protection. For instance, think of getting acquainted with your product or service, the processors and recipients who will be working under your guidance, the marketing and sales departments, who work closely with prospect and customer data, the IT and security teams that maintain the company’s security systems, and representatives of HR, who administer various employee data. A strong understanding of how and why each department handles personal data on a daily basis, or how they approach the introduction of new applications could prove especially useful for future projects such as carrying out DPIAs, data mappings, or handling DSRs, where key disciplines often need to work together.   


Understand the organisation’s data protection efforts per department
As you get further acquainted with the key stakeholders, create an open dialogue with them about the various ways data privacy and rights under the GDPR are communicated towards prospects and customers. Also have a discussion on how and on what legal grounds personal data is collected and further processed. By discussing these practices openly, and analysing the relevant factors for privacy afterwards, you won’t only be one step ahead of any potential privacy risk, but it also helps formulate a full-proofed version of the measures that could impact better customer relations, improve commercial efforts, and above all, ensure compliance. 


Keep an overview
Make sure to keep an overview of everything you come across that could be important for data protection. A great way to do this is to carry out a data mapping in order to Identify all services and/or business processes that involve the use of personal data within your organisation. A data mapping exercise can be useful in the sense and it requires an overview of all processing activities. After analysing data flows, you will be able to see whether all processings are backed by the relevant legal grounds, and if your privacy policy and all third parties involved are up to date.

Get familiar with the organisation’s procedures
Often at least some sort of procedures are in place for data protection within an organisation, for instance in case of a data breach, the existing security controls in place, or in addressing DSRs. Take note of what the steps are, who is responsible in each step for what, how much awareness for privacy is present within the organisation, how procedures are to be carried out, and understand why it’s been established in that way. 


Review your privacy statement
Just by reviewing your new organisation’s privacy statement, you can gain a great overview of the organisation’s privacy initiatives early on. It will also allow you to be able to see where potential improvements might be needed, and talk to the department heads responsible to plan the way forward.


Review your privacy policy
While diving into privacy statements early on helps you get a head start in getting to know how the organisation processes and handles personal data gathered externally, you will need to get familiar with the internal data management of your organisation as well. Take the time to look through the organisation’s privacy policies and identify practices or measures that may pose risks or require further improvements. It can be beneficial to keep track of your thoughts and notes, and bring it up with the appropriate parties once you have settled in a bit more.  In case of discrepancies, upon a discussion with stakeholders, necessary amendments can be made to the privacy policy to ensure compliance. 

Evaluate whether there is a privacy culture present within the organisation
As the number of internal data breaches are on the rise and can come in various forms, keeping a close eye on workplace habits, and establishing to what level privacy awareness has spread throughout the organisation, can help you determine just what you are dealing with. It can also be a cause to suggest preparing staff trainings and awareness sessions, or seeing how C-level may support you in creating a data privacy culture to protect the reputation of the business.

Communicate with C-level regularly
C-level management might have specific expectations from you as a DPO, but there may be instances where they might not necessarily have an idea of providing you with the right tools to achieve it. As support from upper management proves vital for maximising GDPR compliance efforts, understanding their point of view early on may help settle goals for the future. Get to know their concerns and also express your concerns early on so that both you and C-level could have a joint impression on what is needed to solve the potential issues you’ve taken note about. 

Ask for the adequate resources and tools
Especially when starting out somewhere new, days might pass by just answering privacy-related emails and phone calls. At the same time, the amount of tasks needed to be done for compliance is extensive. Therefore asking for the right resources and tools for data protection can make all the difference in efficiency. Consider looking around in the compliance software field, and see if automation and smart technology is what you need to be able to do your job the best way. 

Remember: GDPR compliance is a marathon, not a sprint
While the first couple of months may seem a little overwhelming as you really need to get deep into the data privacy practices of your new organisation, rest assured, that you will always be able to find supportive key stakeholders, a large amount of helpful resources online, and compliance software that can make your daily work significantly easier. If you’d like to experience first hand how compliance software may help, take a look at our 14-days free trial, with access to the full solution.