Like a lot of people, I don't like going to the dentist. It's a chore, and (no doubt because I put it off) there always seems to be something painful or unpleasant involved when I do go. What has this got to do with data protection? Read on...

There is a welcome amount of continuing discussion going on about the appointment of data protection officers (DPOs) in organisations. Some are having to think about it as part of their Brexit contingency planning. Others, frankly, are only just focusing on GDPR compliance. For many organisations, the realisation of the need to appoint a DPO comes from a breach or a near miss, or as a consequence of losing business because they cannot demonstrate full compliance with the GDPR.

All of these are good reasons to be thinking about appointing a DPO, and the article linked below has some good guidance about some of the things that ought to be considered when making the appointment. But I must just sound a word of warning. DPO's are at their most effective when they are an integral part of the business, and in that context the use of terms like "poacher and gamekeeper" is probably unhelpful.

I know a number of DPO's who experience the frustration of being seen as "the enemy" within their organisation. This has a number of consequences. Those who are developing initiatives that touch data will often leave the DPO out of the loop, fearing that they will be told that they can't do what they want to, or resenting the extra layer of scrutiny which will be involved in getting their project cleared. At its worst, this leads to businesses deploying new software or implementing processes which are not provided for in their privacy notices or policies, without the DPO having any input into how those have been developed. there must also be the risk that such a dynamic would put pressure on the DPO to scale back their recommendations or scrutiny, in order to ingratiate themselves with their colleagues.

Over recent years, there has been a growing awareness of the risks around shadow IT, where individuals bring their own devices or applications into the IT ecosystem of the business. In the same way, a failure to see the DPO as an integral part of the business, at every stage, poses real risks for that business's compliance. It is almost invariably a part of a broader failure to embrace a culture of privacy by design, and the jeopardy that flows from that can be a good deal more discomforting than a half hour in the dentist's chair.