[NEW] Red Team Attack Simulation Built Around MITRE ATT&CK Framework: A Horangi Guide
logo

A DPO Guide For PDPA & Other Privacy Laws: Forming a DPO Team

In the third instalment to this 6-part series, we're going to be discussing the practices when it comes to forming a DPO team. What kind of expertise do you need in this team? Should you be hiring especially for this? Do you even need a team? Read on to find out.

In the previous instalment of this blog series, we discussed the importance and best practices behind gathering management buy-in. A successful Data Protection Management Program (DPMP) is not possible without the support of higher management. After gathering management support, you should give some serious thought to who should be on your DPO team. Having the right people on your team is critical in determining the success of your DPMP.

A recap of the 6 essentials for Data Protection Officers (DPO) we are touching on in this series:

In Part 3 of the 6 Essential Things Every DPO Needs To Be Effective series, I will focus on the tips of forming a DPO team in these three areas — (1) Why Do You Need a Team, (2) Involving the Existing Employees, (3) Hiring a Full-time Practitioner.

1. Why Do You Need a Team?

When I tell my friends or family that I work in the cybersecurity industry, the common response is, “oh, so you’re an IT guy!” The conflation between the two would lead some of them to start telling me about the issues that they’re facing with their laptops or WiFi, with the expectation that I could troubleshoot these issues for them. No doubt, these things are a big part of cybersecurity, but cybersecurity is a company-wide concern that seeps into every aspect of any organization. This misconception is not unusual in the workplace, where many employees assume that cybersecurity is limited to IT.

The same frustration could be faced by the Data Privacy professionals too. Instead of seeing Data Protection as a company-wide goal, people often see Data Protection as a legal problem that only concerns the DPOs or the legal council. By limiting the role and reach of Data Protection, an organization makes it difficult for themselves to improve its own Data Protection posture as Data Protection compliance can only be attained with cooperation between all departments. 

The primary reason of having a well-rounded DPO team, as opposed to only having the job given to a single person, prevents or abates the myopic mindset that we discussed above. By involving key personnel of relevant departments in the DPO team, it allows them to be more ubiquitously involved throughout various departments within the larger company. This creates a heightened awareness and understanding of the importance of a DPMP among the company on a grander scale. Additionally, when it comes to pushing out Data Protection initiatives it would be much easier if you already have the key personnel involved on the DPO team.

Another reason for having a team is that most DPOs have other primary responsibilities within an organization. Depending on the size of the company and the other roles that exist within said company, it is usually unfeasible for a single person to adequately fulfil the rigorous demands of the DPO.

2. Involving the Existing Employees

At this juncture, I hope that you have been convinced that you need a team of people at the helm of your DPO team. Now, we will be discussing the two types of members that could be invited to the team: existing employees or new practitioners. 

Let us begin by looking at the first scenario: inviting the existing employees to the team. As discussed in the previous section, it is highly encouraged to have key personnel from the relevant teams in the team. However, it might not be feasible or logical to invite a person from every single department either. So which departments are relevant?

The two departments that you would definitely always want to involve are Legal and Security. Legal compliance is at the very core of Data Protection and IT Security is a crucial and indispensable element within compliance.

Next, you should shortlist the departments that handle personal data heavily. Imagine that you work for an e-commerce company. The Customer Service and the Software Engineering teams are likely to have great control over and use for large quantities of personal data. You would definitely want to have the leaders of those departments as a part of the DPO team. Personal data protection also extends inwards as well. Internal employee data and information is crucial too, so you would probably want to get someone from the Human Resources department involved as well. 

3. Hiring a Full-time Practitioner

Once you have figured out which employees are crucial to your DPO team, you might also consider hiring a full-time Data Privacy practitioner to the team. This is not always necessary and it depends heavily on your business needs. So how do you know if your business needs require a full-time practitioner? See if your business requires the following:

  • Frequent Data Protection Impact Assessments
  • Drafting and pushing out data privacy policies, and procedures
  • Regular Data Protection awareness and training programs
  • Any other recurring Data Protection activities specific to your organization

When hiring the full-time practitioner, you should look out for the following expertise:

  • Good knowledge of the relevant Data Protection laws and the associated advisory guides, if applicable
  • Ability to draft and implement Data Protection policies and related procedures
  • Experience in Data Mapping
  • Experience in Data Protection Impact Assessment (DPIA)
  • Relevant certification(s) in managing personal data such as IAPP’s Certified Information Privacy Manager (CIPM)

The need to hire also depends largely on the size and business nature of the company. In many cases, once a functioning DPMP is built, the need for having a full-time practitioner drops dramatically. If you are exploring the idea, be sure to consider it carefully before hiring because there’s a chance that the need for this resource could be eliminated and they become idle in the future.

Conclusion

One of the biggest challenges you might face is the resistance people might put up when they are asked to join the team. Joining the DPO team sounds like a lot of work! When approaching potential members, it is important to be transparent in what responsibilities this new role might entail. The involvement required from the members might not be as daunting or as time-consuming as they might first imagine it to be. In the next three blog articles of this series, we will dive into the specific functions of the DPO team, and provide insight into the responsibilities of the different team members.

Read The Series

Yang JianGang

Jiangang is a CyberOps Consultant at Horangi and a Certified Information Privacy Technology specialist supporting customers from all industries in their privacy compliance program.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.