Latest News: Horangi Raises US$20m to Strengthen Cyber Security Offering in Southeast Asia
logo
Cyber Strategy

The 6 Essential Things Every Data Protection Officer Needs To Be Effective (Pt. 02)

In Part 1 of this blog series, we discussed the importance of mastering data protection in three pillars — law & compliance, technical data protection, and cybersecurity. Our next segment talks about the micro strategies you can employ to garner management support.

In Part 1 of this blog series, we discussed Mastering Data Protection. If you now understand the technicalities behind data protection laws, processes, and cybersecurity fundamentals, you are then one step closer to implementing a robust Data Protection Management Program (DPMP) for your organization.

A recap of the 6 essentials for Data Protection Officers (DPO) we are touching on in this series:

Understanding DPO Basics

To be an effective DPO for your organization, the following is a list of essentials in any Data Protection work:

  • Master Data Protection
  • Gather Management Support
  • Form a DPO team
  • Conduct a Gap Analysis
  • Build a Data Protection Management Program (DPMP)
  • Run the DPMP

For any DPO to drive a robust and successful DPMP, buy-in from management is integral to eliminating the roadblocks across the organization — which can be a challenge to navigate, especially for a DPO who is new to the organization or role.

In Part 2 of the 6 Essential Things Every DPO Needs To Be Effective series, I will zero in on the best practices behind gathering management support in these three areas — (1) Garner Cross-Functional Support, (2) Focus On Good, (3) Identify Data Protection Champions.

Garner Cross-Functional Support

The implementation of a DPMP is comprised of significant process changes and educating the organization on these changes, all of which require the investment of extra resources in the form of manpower and budget to add to and train additional members on the DPO team.

For instance, if the DPO needs to implement a penetration testing process that affects all applications that store personal data, this program would require:

Since the process changes in a DPMP have a cross-functional impact, a top-down approach to making the changes a reality will be a more efficient approach than one where a DPO tried to implement the new processes by themself.

Focus on Good

Fear, Uncertainty, Doubt (FUD) is a common tactic that DPOs will employ to get management support. The harsh reality and penalty for not endorsing a DPMP — a breach of Data Protection laws, plus reputational and financial damage — are self-evident. For smaller businesses where sensitive Personally Identifiable Information (PII) is crucial to business operations, a serious data breach could spell the end of the business.

This fear-based approach, however, does not put a DPO in an advantageous position with the top management in the long term. Excessive use of it could promote skepticism and or even contempt.

Instead of always using the stick, successful DPOs strive to get management aligned with the benefits of Data Protection compliance. Not only does this mitigate data breaches, but by being transparent to customers about how your organization is committed to data security, this privacy assurance can go a long way to fostering long-term brand loyalty among your best customers. In Singapore, for instance, the mark of a robust DPMP is an organization being awarded the Data Protection Trustmark Certificate. For customers, this is proof of a modern and trustworthy organization.

Identify Data Protection Champions

Rather than adopt me against the world approach to speaking to management, successful DPOs understand how critical it is to the first partner with other internal stakeholders who also care about Data Protection. This way, they have a stronger voice for both speaking to the management and disseminating the message across the organization.

Obviously, the more influence the Data Protection champion has in the organization, the better. This person could be the finance manager since finance tends to hold a considerable amount of sensitive data. They could also be the revenue director, who would be concerned about the hit on revenue should a data breach happen.

In my experience, I have seen the strongest support coming from senior management directly, to the extent that it was a board member who came to the DPO’s support because of the former’s cybersecurity background.

The DPO Learning Journey Continues

Because many elements are out of a DPO’s control, there is ultimately no textbook answer to best obtain buy-in from management in the implementation of a DPMP. Joining a DPO network to understand the learnings from other DPOs is an excellent way to accelerate one’s learning journey.

In the next installment in this series, we discuss the topic of forming a DPO team, so stay tuned.

Yang JianGang

Jiangang is a CyberOps Consultant at Horangi and a Certified Information Privacy Technology specialist supporting customers from all industries in their privacy compliance program.

Subscribe to the Horangi Newsletter.

Hear from our Horangi tech experts as we go deep into up-and-coming cyber threats, new solutions, and talk about the future of cybersecurity.