IFORI acts for many organizations as an external Data Protection Officer (DPO), or as a privacy officer in support of the internal DPO. In doing so, IFORI employees act as permanent contacts for our clients in fulfilling these roles. In this blog, Thomas gives an overview of what to expect during a work week as a DPO.
As Data Protection Officer (DPO), my work week is a delicate balance between proposing proactive measures, reviewing agreements and crisis response. Join me on a journey through a typical work week, broken down by the hour.
Thomas is 31 years old and has been with IFORI for 1 year as Senior Privacy legal counsel. Before that, Thomas worked independently for a legal tech start-up and for several companies as a privacy consultant. We asked him to keep a diary for a week. This is his story:
Monday: Listing action items for the week
09:00 – 10:00 I start the week as DPO for a Flemish government agency. The week begins with an update on the status and listing of action items. During this time I can catch up on urgent matters and set the tone for the week.
10:00 – 12:00 Monday morning is devoted to meetings with key contacts to go over action items and distribute tasks. To this end, I work primarily with IT, HR, legal and compliance teams to ensure that policies around data protection are drafted in accordance with decree authority, implemented and adhered to.
12:00 PM – 12:30 Lunch break – a chance to recharge before plunging into the afternoon’s tasks.
12:30 – 15:00 In the early afternoon, I review and respond to emails and make sure to answer urgent data protection questions from employees or customers.
15.00 – 17.00 The day will conclude with an analysis of the new data protection regulations (NIS2). I also look at the key decisions on GDPR in Europe and what impact they may have on our local implementation. This knowledge is vital to adjusting policies and keeping our procedures compliant.
Tuesday: Drafting an agreement
09:00 – 10:00 Today I am working for a large e-commerce retailer. The day begins with a new consulting question. For a marketing campaign, personal data of customers will be delivered to participating partners. I recommend consolidating this and a “data sharing” agreement.
10:00 – 10:30 Alignment. Together with the legal and marketing department, we work to draft a good agreement.
10:30 AM – 12:30 Totally loose in drafting this agreement. I will have a good chunk of the day’s work on this.
12:30 – 13:00 Lunch break – catching up with colleagues from the company I work for once a week. This is fun and keeps me abreast of the latest internal developments.
12.30 – 16.00 I am continuing to spend all available time drafting this agreement. With help from my colleagues and based on other similar agreements, I am making good progress.
16.00 – 17.00 The day ends with a training session for new employees where I inform them about the GDPR processes within the company, so they know where and to whom to turn in case of possible questions or problems. After all, informed personnel are the first line of defense against data breaches.
Wednesday: International consultation
09:00 – 10:00 Today and tomorrow I am working for another company, active in providing various IT solutions. They are a rapidly growing company, but still need GDPR implementation and expert support. Wednesday morning begins with tune-up time with my internal manager, how we will complete the various processing activities for each local department with her international colleagues.
10.00 – 12.30 I continue to prepare the Register of Processing Activities (ROPA) so that all international colleagues have a good overview of which processes are structured where and how.
12:30 – 1:00 Lunch break – a moment of respite before we delve into the second half of the day.
13:00 – 15:00 The afternoon hours go by quickly as we virtually sit together with our international colleagues and coordinate who will perform which review. Life as a DPO clearly involves a lot of coordination and consultation!
15.00 – 17.00 The day concludes with a debrief and plan for the next day.
Thursday: Alert!
09:00 – 11:00 : Alarm! Thursday morning begins with a report of a data breach! An immediate response is crucial to minimize the impact of a data breach. I will get to work immediately to conduct an analysis on the severity of the leak to assess whether or not a notification to the Data Protection Authority is necessary. Fortunately, our analysis indicates low risk and we only need to document and implement mitigation measures.
11:00 – 12:00 Back to the Register. Meanwhile, already received a lot of feedback from international colleagues. This is something I can continue to work with.
12:00 – 13:00 Lunch break – during the lunch break, a speaker will be invited by the company to the cafeteria to talk about healthy snacks. Nice to pick up!
1:00 – 4:00 Afternoon hours are further dedicated to refining the Register. Continuous improvement is the key!
16.00 – 17.00 The day will conclude with a team meeting to discuss the incident and make sure everyone is on the same page regarding incident response protocols.
Friday: Consultation and reflection
9:00 AM – 10:00 AM Friday office day! On Friday, we are all in the office at IFORI in Ghent. I start the day by reading and answering emails.
9:00 – 12:00 Friday morning is devoted to consultation moments. We exchange experience at the GDPR competence center meeting, about our projects and brainstorm on difficult legal issues. From your colleagues you have to have it … The morning ends with a general team meeting to discuss the main practical points and to get a view of the agenda for the coming period.
12:00 – 12:30 Lunch break – together with IFORI colleagues, every first Friday of the month it is definitely FRENCH FRY-day, yay, eating fries together!
1:00 – 5:00 The afternoon consists of continuing to work on GDPR projects and countdown to the weekend!
My conclusion: being a DPO is a balancing act
Being a DPO is a demanding but fulfilling role. Each day brings unique challenges, from strategic planning and consultation to incident preparedness. In a world where data is the new gold, the role of a DPO is crucial to ensuring that organizations can safely and ethically navigate the digital landscape.
