Home / Resources / News and Trends / Industry News / 2021 / The Automation of a Data Protection Officers Tasks

The Automation of a Data Protection Officer’s Tasks

Ekaterina Volkovich
Author: Ekaterina Volkovich, CDPSE, CIPP/E
Date Published: 30 July 2021

Data protection officers (DPOs) are facing increasing difficulties when performing tasks manually to comply with data privacy regulations. Gathering information about personal data processing activities in a large enterprise can take several months. There is often a large amount of information, and it is impossible to see everything at once (e.g., records of processing activities). Files can get lost and large files can remain open for a long time. It is difficult to keep information up to date. And there is a lack of visualization and explanatory information. However, identifying which tasks can be automated can enable DPOs to pay more attention to aligning their data privacy strategy to support their organization’s objectives.

Tasks of a DPO

The DPO ensures that personal data processing activities comply with applicable legislation in the field of personal data. They should also understand all the business processes of the organization and implement privacy by design and default principles in all personal data processing activities. The DPO’s tasks are outlined in Article 39 of the EU General Data Protection Regulation (GDPR).1 According to the International Association of Privacy Professionals (IAPP) Consulting Privacy Governance Report 2020,2 a DPO performs functions such as:

  • Completing data inventory and mapping
  • Performing a privacy impact assessment (PIA) or data protection impact assessment (DPIA)
  • Ensuring compliance with personal data laws with regard to privacy-related vendor management
  • Addressing privacy issues with existing products and services
  • Assuring proper cross-border data transfer
  • Developing privacy policies, procedures and governance measures
  • Processing data subject access requests (DSARs)
  • Conducting privacy-related awareness and training

Performing all these tasks manually can be a time-consuming process, especially if the DPO is working for a large organization with subsidiaries all over the world.

Research Results

Research was conducted in which 10 DPOs from large, international organizations were interviewed on the topic of automation. They reported that:

  • There is no understanding of all the personal data processing activities that occur in their respective organizations. 
  • It is not possible to visualize the personal data processing activities and have a general map of data flows in the organization.
  • There is not complete control of system updates and third parties involved in personal data processing.
  • There are too many questions (related to personal data processing) from internal departments and there are difficulties with the handling of such questions.

The DPOs who were interviewed also stated which of their tasks were the most critical to automate. Figure 1 shows their responses.

Figure 1—Functions of the DPO to Automate

Figure 1

The responses show that the most important functions to automate are maintenance of records of processing activities (RoPA), management of third parties, implementation of risk assessments and visualization of data flows in the organization. 

When choosing a solution, the DPOs noted that they were most likely the pay attention to:

  • The availability of a personal data inventory
  • Data sources available for integration (if data discovery is available)
  • Data flow mapping
  • Language
  • Installation type (cloud/on-premise)
  • Price
  • Time on installation

The DPOs were also asked which language and installation type they prefer and those responses are shown in figure 2.

Figure 2—Preferred Criteria for DPOs

Figure 2

It can be noted that the majority of DPOs prefer to have a solution for local language and on-premise installation. This is common when organizations do not use cloud services or do not have plans to move to the cloud.

After identifying what tasks would benefit from automation, DPOs can then determine what solutions available on the market would be beneficial to their organization.

Privacy Tools on the Market

IAPP prepared the 2021 Privacy Tech Vendor Report identifying 355 privacy vendors.3 Given so many options, DPOs may have difficulty understanding what should and should not be considered when choosing which vendor and automation tool.

Figure 3 shows how vendors compare according to the most important tasks of a DPO.

Figure 3—Tools for Automating DPO Functions

Figure 3

Data inventory, data mapping, risk assessment and third-party management functions are available in the majority of tools presented on the market.

However, it is not enough just to know key privacy software management vendors and their tools. Appropriate criteria should be taken into consideration when looking for an appropriate solution depending on the organization’s needs. The results of the comparison can be seen in figure 4.

Figure 4—Overview of Privacy Tools

Figure 4

All of this information was taken from vendors’ websites, demos and communications with vendors. Figure 4 indicates that some solutions have multilanguage support. However, it is better to ask a vendor for a specific language if it is required. On-premise installation is only provided by OneTrust and Dataguise. Since all of these vendors provide mostly cloud-based solutions, they are usually paid by subscription. Exact prices are determined on a case-by-case basis.

Choosing a Solution

When choosing a solution, it is important that a DPO checks:

  • Whether data discovery is needed
  • The support of an organization’s systems as data sources
  • Whether the amount of information collected will comply with GDPR4 or relevant privacy laws
  • The availability of the type of installation that is required for the organization (cloud-based/on-premise) and security measures
  • Available languages
  • Data flow visualization functions
  • The availability of other modules that may be required in the future

It is also important to think about access and privilege with regard to privacy automation tools. It is useful for DPOs to have accounts with full access to all personal data processing activities in the organizations and for representatives from different business departments who are responsible for overseeing the processing to have accounts with access only to their processes.

Once a solution is chosen, the DPO must convince management it is worthwhile.

The advantages of using an automation solution should be communicated to management to justify the cost. Advantages include: 

  • Understanding data flows 
  • Reducing the risk of human error
  • Increasing speed of operations by reducing manual labor
  • Controlling the risk of noncompliance with the requirements of the applicable personal data legislation
  • Ensuring the control of information systems and third parties involved in the processing of personal data by data inventory and risk assessment
  • Responding to data subjects’ requests in a timely manner
  • Being able to quickly respond to changes in business processes 
  • Receiving up-to-date information about personal data processed through integration with IT infrastructure
  • Having a user-friendly interface for visualization and generating reports and metrics on the effectiveness of the privacy function

Conclusion

There are clear difficulties with maintaining compliance with data privacy regulations. Some of the difficulties come from the manual tools DPOs use to build processes, keep processes up to date, answer data subjects’ requests and control changes. However, identifying which DPO tasks could be automated enables DPOs to pay more attention to critical areas and align their data protection road maps with the organization’s strategy. There are a number of privacy management software providers and privacy tools that can aid DPOs with implementing automation. Understanding the criteria for selecting suitable software to support the creation and maintenance of data privacy processes is crucial to build a privacy infrastructure.

Endnotes

1 Intersoft Counsulting, General Data Protection Regulation (GDPR) Art. 39: Tasks of the Data Protection Officer, Belgium, 2018
2 International Association of Privacy Professionals (IAPP) and FTI Consulting, IAPP-FTI Consulting Privacy Governance Report 2020, USA, 2020
3 International Association of Privacy Professionals, 2021 Privacy Tech Vendor Report, USA, 2021
4 Intersoft Counsulting, General Data Protection Regulation (GDPR) Art. 30: Records of Processing Activities, Belgium, 2018

Ekaterina Volkovich, CDPSE, CIPP/E

Is a senior consultant in cybersecurity at KPMG Russia. She is also the SheLeadsTech liaison for the ISACA® Moscow (Russia) Chapter. She has experience aligning local and international organizations with data privacy and information security requirements (in particular, EU General Data Protection Regulation [GDPR]), focusing on analysis and selection of automated solutions. Volkovich is a member of the Russian Privacy Professionals Association (RPPA). She has also participated both as an attendee and a speaker in local and international information security and privacy conferences, including the ISACA Virtual Conference: Privacy in Practice 2020. She also volunteered at ISACA EuroCACS/CSX 2019.