to find, but that should not prevent
you from training your DPO on the
important features of data protection
law. Based on the outcome of the
data mapping and privacy assessment, the DPO will need to design a
DPO action plan — which will be the
roadmap to reach compliance.
Data protection community
It is not enough to appoint a DPO
Data protection culture
and then leave the pulling and push-
ing to them. Data protection belongs
to everyone. It is crucial to establish
a true data protection community
involving all stakeholders at the right
moment. Once you have established
that community, it is important to
keep it alive. You can do this through
continued education using live
sessions, newsflashes, e-learning,
and webinars. You should also use
awareness campaigns with posters,
hand-outs, and gadgets. Webinars
are an excellent platform for sharing
challenges and solutions with a large
international audience. The DPO
should realize they are not doing
this alone and they should not keep
reinventing the wheel.
The Article 29 Working Party asserts
that a DPO is required to promote a
culture of data protection within an
organization. This is excellent guidance, but is easier said than done. A
data protection culture effectively
embeds data protection in the company. It ensures that all people at all
It is not enough to
appoint a DPO and then
leave the pulling and
pushing to them. Data
to everyone. It is
crucial to establish a
true data protection
all stakeholders at the
right moment. Once
you have established
it is important to
keep it alive.
60 ASSOCIATION OF CORPORATE COUNSEL
Job description: Data Protection Officer
HOW GENERAL COUNSEL CAN HELP THE COMPANY BE SUCCESSFUL IN ITS DATA JOURNEY
Start: as quickly as possible.
Background: IT, legal, and compliance professional with experience
working in an in-house environment. Preferably, all combined.
Required skills: Expertise in national and European data protection
laws and practices, including an in-depth understanding of the
GDPR, processing operations, information technologies and data
security, the business sector and the organization, and the ability
to promote a data protection culture within the organization.
Responsibilities: Re-engineering the organization in order to ensure legally
compliant processing of sensitive personal data, effectively preparing
for application of GDPR. Information security knowledge is a plus.
DATA PROTECTION KEY PRINCIPLES
■ ■ Less is better;
■ ■ Legitimate and specific purpose;
■ ■ Transparency;
■ ■ Data economy and accuracy;
■ ■ Higher protection of sensitive personal data;
■ ■ Limited access; and,
■ ■ Security.
■ ■ Password discipline;
■ ■ Privacy screens;
■ ■ Caution with data carriers;
■ ■ Caution with public WiFi networks, use VPN; and,
■ ■ Only use encrypted devices.