2 years of GDPR - "Many DPO reported feeling isolated in their role"

The second edition of PrivacyHub webinar focused on the international perspective of GDPR after 2 years. Four special guests from different countries joined our event an offered a regional perspective over GDPR related issues such as the DPO role, DPO interaction with the internal teams or continuous privacy education.

Ruslana Toneva, Legal Advisor, Data Protection & Privacy Expert in Bulgaria talked about how did the DPO focus changed from an operational point of view in the last two years in Bulgaria. She also mentioned the obstacles the DPO has met: “Unfortunately, in the beginning, the role, and functions of DPO were unknown; controllers and processors were not aware of the role of the DPO. Two years ago, the DPO had to visit administrators and processors and perform GDPR training; now, they have a basic knowledge on this issue, and they are able to easier understand their obligations”.

Balint Halász, Partner, Bird & Bird, Hungary discussed the potential conflict of interest of DPO with other functions. In his opinion, this issue is rather “complicated”, and the situation might depend upon the existence of an internal or an external function, especially in large companies: “If there is an external DPO, especially a legal advisor, a conflict might emerge between DPO function and legal advice”. When a company hires an advisor, it has in mind the interest of the organization. “The function of the DPO is to stand up for the rights of the data subjects – employees, customers, business partners”.

When it comes to DPO interaction in the internal team, Angela Mitropoulos, Co-Founder GAG-DPR P.C. in Greece, believes that absolutely nothing changed. “In Greece it is very common to hire an attorney at low and using as a DPO. The whole idea of compliance with the GDPR is not so welcome in most of the companies. The DPO failed so far to become <> in the company”. That might be related to a lack of prestige and a low salary associated with the job. People also think GDPR compliance brings more problems than it solves, so, unfortunately, there is not much progress and employers are being skeptical regarding GDPR.

According to Angela Mitropoulos, the real question is “what should have been changed”. “Employees should be more confident in what they are doing. Many DPO reported feeling isolated in their role. In Greece, we could have done more”.

Radu Ionescu, Managing Partner Ionescu & Sava Law Firm in Romania addressed the topic of what has changed in the internal management of the Data Subject Requests in the last two years? “There is a variety of types of evolutions in terms of how organizations deal with access requests. When GDPR came into force we were faced with the first wave of access requests that every organization had to handle and no organization didn’t handle it; most of them, had no idea about the information assets”.

Radu Ionescu believes that the most efficient way to know if your organization is ready for a data subject request is to mock one and to analyze how the request is handled and answered.  He also adds: “Until GDPR, most of the data subject request remained unanswered. Also, in very rare case data subject requests are legitimate; these requests are motivated by other purposes, especially in the area of employment relations. It’s used to get leverage in other areas”. His advice: data minimization and awareness in the organization is key.

When it comes to continuous education, Ruslana Toneva says: “The continuous education in the company is very important. Most of the data breaches are the result of employees’ mistakes. We need to explain them in plain words their obligations and their duties”. She also believes that one initial training is not enough for the staff to comply with data protection regulations. A training program should be flexible and adaptable for different companies”.

For Balint Halasz, the main challenges in communication with the senior management are “about finding the right balance. If management doesn’t consider GDPR an obstacle, but an opportunity, at least an indirect opportunity – it’s a good premise. DPO should be considered part of the strategy of the company.

Radu Ionescu stats that: “The DPO should be perceived as a business partner”.

In order to create a privacy culture versus mandatory enforcement, Angela Mitropoulos offers three tips: “Training and never-ending training. Having a code of conduct in the organization to act upon them is very important – employees know what to do and how to do. Awareness – employees must always have in mind the consequences of a data breach. And cooperation.” She also mentions that “The ability to promote a data protection culture within the organization is very important. The DPO might come and go, but the principles remain in the company”.

The speakers also answered different questions such as “Is the DPO role more difficult in these Covid-19 times?”, “Should a data request be valid if it comes over the phone as a verbal request?”, “Are there any good practices for time management of DPO activity?”.

The recorded webinar is available here.