How guide

Your to make
to
Phishing
an impact in your
first 90 days as a
new
An DPO?
information security
eBook by TSC
An information security
eBook by TSC

Scan here
to download
this eBook.

Raise awareness Develop knowledge Change behaviour Develop security culture

Congratulations on your new role as a
Data Protection Officer (DPO)!
As a DPO, you play a critical role in protecting your organisation’s data and managing its cyber security
risk. However, being a DPO is not an easy task, and the first 90 days in this role are particularly challenging.
In this comprehensive eBook, new Data Protection Officers will find essential guidance on their role and
responsibilities.
Your partner in
cyber security and
culture change
As you embark on your
journey to transform your
organisation’s security culture,
partnering with a trusted cyber
security awareness training
and security culture change
provider like The Security
Company can significantly
enhance your efforts. The
Security Company offers a
wide range of services and
products tailored to help
you educate, engage, and
empower your workforce to
become a proactive line of
defence against cyber threats.
However, new UK data protection legislation removes the requirement
for a DPO, requiring a Senior Responsible Individual (SRI) instead. For
UK companies dealing with the personal data of citizens or customers
living in Europe, the GDPR requirement for a DPO remains.
We will cover UK-specific legislation, SRIs, ePrivacy, cookies and
controller and processor responsibilities in a future eBook.
Contents
1. Introduction
a. The typical activities of a DPO
b. The day-to-day activities of a DPO
2. Technical responsibilities: DPIAs
a. What is a Data Protection Impact Assessment (DPIA)?
b. Conducting DPIAs effectively
3. Technical responsibilities: SARs
a. Understanding Subject Access Requests (SARs)
b. Managing SARs effectively
4. How to deal with data breaches
a. Preparing for data breaches
b. Mitigating potential vulnerabilities
c. Detecting and reporting data breaches
5. Top tips for DPOs
a. Building strong relationships with key stakeholders
b. Staying abreast of data protection laws and regulations
c. Promoting a data protection culture
6. Let’s start communicating …
a. The role of security awareness and data protection training
b. Designing effective security awareness programs
c. The benefits of gamification
d. The importance of continual training and reinforcement
e. Measuring the effectiveness of training initiatives
7. Final thoughts
a. Identifying areas for improvement and growth
Introduction
Welcome to the challenging and exciting role of a
Data Protection Officer (DPO). As a DPO, you play a
crucial role in safeguarding individuals’ personal data
and ensuring your organisation’s compliance with
data protection laws and regulations.

In your first 90 days, it’s essential to establish a

strong foundation for success.

This eBook will guide you through the typical

activities and day-to-day responsibilities of a More than 120 nations have adopted a version of data
DPO, as well as provide detailed insights into your protection rules to safeguard citizens’ personal data.
(European Data Protection Supervisor, 2022)
technical responsibilities.

1a. The typical activities of a DPO

As a new DPO, you’ll encounter a diverse range of activities that contribute to protecting personal data and
ensuring your organisation’s data protection compliance. Some of the typical activities include:

Awareness and education: You’ll provide expert

• 
advice to your organisation’s employees on data
protection matters, ensuring they understand
their responsibilities regarding data handling
and processing. You’ll be the data protection role
model but also an advocate for data education.
• Data protection policies and procedures:
Collaborate with relevant stakeholders to
develop and implement data protection policies,
procedures, and guidelines that foster a culture
of data privacy and security at all levels of your
organisation.

Monitoring compliance: Regularly assess and

• 
monitor your organisation’s data processing
activities to ensure they align with relevant
data protection laws, such as the General Data
Protection Regulation (GDPR), and are absent of
security gaps.
• D
 ata mapping and inventory: Maintain an up
to date inventory of all data processing activities
and conduct data mapping exercises to identify
potential risks and vulnerabilities. Implement a
data backup system/protocol to ensure a return to
smooth activities should a breach occur.

Liaising with regulatory authorities: Serve as

• 
the primary point of contact for supervisory
authorities and cooperate with them during audits
and investigations.

95% of cyber security incidents are traced to human error (WEF Global Risks
Report 2022)

How to make an impact in your first 90 days as a new DPO? 3

Data protection awareness and
training with The Security Company

The Security Company has over 20 years of experience

delivering data protection training and awareness
materials to global organisations.

Our data protection products include:

• Data Protection and Privacy eLearning

• Data Protection animated infographic

• GDPR animated infographic

• GDPR eLearning

• GDPR refresher eLearning

• GDPR refresher animated infographic

• Data Loss Prevention ‘Safety Net’ game

• … and more, including posters, leaflets, animated

cartoons, GIFs and Cyber Security Month materials.

1b. The day-to-day

activities of a DPO
In addition to the typical activities, your day-to-day
responsibilities as a DPO will involve tasks such as:

Responding to subject access requests:

• 
Addressing requests from individuals who want to
exercise their data protection and access rights.

Data Privacy Impact Assessments (DPIAs):

• 
Conducting PIAs to identify and mitigate potential
privacy risks associated with new projects or
changes to existing processes.

• Incident management: Leading the response

to data breaches and other data protection
incidents, ensuring timely reporting to the relevant
authorities and affected individuals.

Cyber security training and awareness:

• 
Organising data protection training sessions
and awareness campaigns to foster a privacy
conscious culture among employees and ensure
that workforce knowledge levels are up to date.

Data protection documentation: Keeping records

• 
of data processing activities, data protection
policies, and consent mechanisms.

How to make an impact in your first 90 days as a new DPO? 4

Technical responsibilities:
DPIAs

2a. What is a Data Protection

Impact Assessments (DPIA)?
A Data Protection Impact Assessment (DPIA) is a
systematic process used to identify and minimise
the data protection risks associated with data
processing activities and projects. DPIAs are crucial
for understanding and evaluating potential risks,
ensuring data protection compliance, and avoiding
breaches or leaks.

Why are DPIAs important?

DPIAs help organisations proactively identify and

address potential data protection risks before
starting a new project or implementing changes to
data processing activities. By conducting DPIAs, you
can assess the need for and potential consequences
of data processing, whilst also ensuring compliance
with data protection regulations.

2b. Conducting
DPIAs effectively
1. Clearly define the scope and purpose of the data
processing activity subject to the DPIA.

2. Analyse the potential risks to individual and

organisational data privacy and evaluate the
impact of the processing activity.

3. Propose measures to minimise or eliminate

identified risks, ensuring a high level of data
protection.

4. Ensure that DPIAs become an integral part of

your organisation’s project management and
risk assessment processes.

5. Work closely with relevant departments, such

as legal, IT, and marketing, to gather necessary
information and expertise for a comprehensive
DPIA.

6. Periodically review and update DPIAs to reflect

any changes to data processing activities or
regulations.

How to make an impact in your first 90 days as a new DPO? 5

Technical responsibilities:
SARs

3a. Understanding Subject

Access Requests (SARs)
Many data protection laws, including GDPR, give
citizens the right to request access to any data an
organisation holds on them. Under GDPR, this is
called a Subject Access Request (SAR). As a DPO,
you’ll play a vital role in facilitating and managing
SARs efficiently.

SARs may come in various forms, such as written

letters, emails, or online forms, and it is essential
to recognise them promptly. Often, SARs must be
addressed within a specific timeframe (30 days
under GDPR), and it’s crucial to respond with
accuracy and transparency.

Why are SARs important?

Effectively handling SARs is crucial for

demonstrating your organisation’s commitment to
data protection and compliance.

63% of consumers worldwide believe companies

are not honest about how they use their personal
information. (Tableau & Cisco)

Some SARs may contain sensitive information

about the requester or other individuals. As a
DPO, you must take extra precautions to manage
this information securely. By effectively managing
SARs and safeguarding sensitive information,
you’ll build trust with individuals and demonstrate
your organisation’s commitment to respecting data
privacy rights.

How to make an impact in your first 90 days as a new DPO? 6

Here are some essential steps to handle
SARs efficiently:

3b. Managing SARs effectively

1. Develop a well-defined process for managing
SARs, ensuring that employees across the
organisation understand their roles and
responsibilities when handling such requests.

2. Restrict access to SAR-related information

to authorised personnel only and implement
strong authentication measures. Where
possible, remove or obscure any sensitive
information about third parties, unless consent
or legal basis permits its disclosure.

3. Upon request, verify the identity of the

individual making the SAR to prevent
unauthorised access to sensitive personal
data.

4. Identify and collect all the personal data

related to the requester, ensuring that you
include data from all relevant departments
and databases.

5. Aim to respond to SARs promptly and within

any designated timeframe specified by data
protection regulations.

6. Ensure that your response is clear, concise,

and provides the requested information in a
comprehensive manner. Use secure channels
for communication and data transfer when
responding to SARs to prevent unauthorised
access or data breaches.

7. If there are legitimate reasons for refusing

to provide certain information, such as legal
exemptions, clearly explain these reasons to
the requester.

8. Keep records of all SARs received and the

actions taken in response to each request for
audit and compliance purposes.

9. Regularly assess your SAR process, seeking

feedback from requesters and employees
involved, to identify areas for improvement.

How to make an impact in your first 90 days as a new DPO? 7

How to deal with
data breaches

In 2022, the average cost of a data breach worldwide was $4.35 million. (IBM
Cost of a Data Breach Report 2023)

4a. Preparing for data breaches

As a DPO, it’s essential to be proactive and develop
a comprehensive data breach response plan before
a breach occurs. A well-prepared response plan can
help minimise the impact of a breach and ensure
compliance with data protection regulations.

Here are key steps to prepare for data breaches:

• E
 stablish a data breach response team:
Assemble a team of key stakeholders from various
departments, including IT, legal, communications,
and senior management, to create a coordinated
response.

Develop a breach response plan: Create a

• 
detailed plan outlining the steps to be taken in
the event of a data breach. Include roles and
responsibilities, communication protocols, and a
clear escalation process.

• S
 imulate data breaches: Regularly conduct
simulated data breach scenarios to test the
effectiveness of your response plan and identify
areas for improvement.

• R
 eview and update policies: Ensure that your
organisation’s data breach policies are up-to-date
and align with current data protection regulations.

60% of consumers indicate an intention to spend more with a brand they trust to
responsibly handle their personal data. (Truata, Global Consumer State of Mind
Report 2021)

How to make an impact in your first 90 days as a new DPO? 8

4b. Mitigating potential
vulnerabilities
Data breaches can occur due to various
vulnerabilities in your organisation’s systems and
processes. As a DPO, part of your role is to identify
and mitigate these vulnerabilities to minimise the risk
of a breach:

• Conduct periodic risk assessments to identify

potential weaknesses in data processing activities
and infrastructure (TSC’s Security Awareness
and Behaviour Research tool is a tried and tested
solution for this).

• Limit the amount of personal data collected and

processed to reduce the potential impact of a
breach.

• Implement strong encryption methods and

access controls to protect sensitive data from
unauthorised access.
SABR (Security Awareness and Behaviour
• Ensure that third-party vendors who handle Research): Comprehensive tool, designed to
personal data on behalf of your organisation assess your organisation’s security maturity.
maintain robust data protection practices.

4c. Detecting and reporting

data breaches
Despite taking preventive measures, data breaches
can still occur. Early detection and swift reporting are
crucial to minimising the damage and complying with
data protection regulations:

• I mplement monitoring and detection tools:

Utilise intrusion detection systems, log analysis,
and other monitoring tools to identify unusual
activities that may indicate a breach.

• I ncident reporting: Establish clear channels for

employees to report suspected data breaches
promptly.

Between January 2021
and January 2022, nearly
£1 billion in fines were
issued for a wide range
of GDPR violations. This
is a 594% increase on the
previous year! (DLA Piper
GDPR fines and data
breach survey)
• D
 ata breach notifications: Familiarise yourself
with data breach notification requirements under
relevant data protection laws and ensure timely
reporting to the relevant supervisory authorities
and affected individuals.
By being proactive in preparing for data breaches,
identifying vulnerabilities and promptly detecting
and reporting incidents, you can play a critical role in
protecting your organisation and maintaining trust
with customers and stakeholders.

How to make an impact in your first 90 days as a new DPO? 9

Top tips for DPOs

5a. Building strong relationships

with key stakeholders
You are a bridge between data protection
regulations and the various departments within your
organisation. Building strong relationships with key
stakeholders in different departments is essential for
ensuring successful data protection practices:

• C
 ollaborate and communicate: Foster open and
regular communication with departments like IT,
legal, HR, and marketing to understand their data
processing activities and provide guidance on
compliance.
• Educate stakeholders: Provide clear explanations
of data protection laws, regulations, and best
practices to help stakeholders understand their
responsibilities in protecting personal data.
Senior management buy-in: Establish a good
• 
working relationship with senior management
to secure their support for data protection
initiatives and resource allocation. Use manager
masterclasses and external cyber awareness
partners to educate board members and achieve
financial and conscious buy-in.
TSC your partner in board engagement
We are passionate about helping organisations
we work with to develop a strong security
culture. We know that behaviour change
projects have a greater chance of success if
you receive board engagement. That’s why we
implement board engagement strategies to
ensure DPOs receive approval.
We contextualise cyber risks using language
that executives can understand in order to get
backing and support. Our goal is to provide
all of our clients with a long-term strategy to
sustain and grow their security culture.

5b. Staying abreast of data

protection laws and
regulations
Data protection laws and regulations are continually
evolving. As a DPO, it’s crucial to stay up to date with
the latest changes:

• Attend seminars, webinars, and workshops on

data protection topics to expand your knowledge
and stay informed about the latest developments.

• Engage with other data protection professionals

to share experiences, insights, and best practices.

• Regularly review official websites and

publications from data protection authorities
to stay informed about changes in laws and
guidelines.

How to make an impact in your first 90 days as a new DPO? 10

5c. Promoting a data
protection culture
Creating a data protection culture is crucial for
ensuring that data privacy and security are ingrained
in your organisation’s DNA.

• T
 raining and awareness: Provide regular data
protection training to all employees to instil a
sense of responsibility and accountability for
protecting personal data.

Lead by example: Demonstrate your commitment

• 
to data protection through your actions and
decision-making. Be the data protection role Only 1 in 9 businesses
model your employees can follow. provide cyber security
awareness training for
• Internal communications: Use internal non-cyber employees.
communication channels to reinforce the (DSMS, Cyber security
importance of data protection and celebrate
skills in the UK labour
successes in compliance. Your employees learn
market, 2020)
differently; leverage various communication
channels to reach them all.

How to make an impact in your first 90 days as a new DPO? 11

Let’s start communicating…
6a. The role of security
awareness and data
protection training
Security awareness and data protection training
are essential components of creating a security
conscious culture within your organisation.
Employees play a crucial role in protecting personal
data, and proper training can significantly reduce the
risk of data breaches and non-compliance.
Understanding data protection: Educate
• 
employees about the principles and importance
of data protection, as well as their responsibilities
in handling personal data. You can use eLearning
courses, interactive games, physical posters and
leaflets, social media posts and any effective
communication channel you have assessed.
Recognising phishing and social engineering:
• 
Train employees to recognise common cyber
security threats, such as phishing emails and
social engineering attempts to gain access to an
individual’s or an organisation’s data.
Data handling best practices: Provide guidelines
• 
for secure data handling, including data
classification, storage, and destruction. Your
employees will be handling data every single day
and you need them to behave accordingly every
single day.
How to make an impact in your first 90 days as a new DPO?
Join TSC for a tried and tested
security culture journey
We use cyber awareness campaigns, engaging
online training, employee development
programs and behaviour change strategies to
build a strong security culture.
After sitting down and assessing your
organisation’s security levels, we pinpoint
where you are in our 4-step journey and get
to work.
Our 4-step journey
1. Raise awareness: Physical and digital
materials on risks and threats to increase
understanding.
2. Develop knowledge: Recharge and build
new knowledge with games, training, and
collaborative opportunities.
3. Change behaviour: Enable effective security
behaviours across your workforce.
4. Develop a secure culture: Ongoing promise
to support and innovate against emerging
threats at the highest levels.
12
6b. Designing effective security
awareness programs
To create a successful security awareness program,
consider the following elements:

Tailored content and language: Develop training

• 
materials that are relevant to employees’ roles
and reflect the specific data protection challenges
they face. Tailored content also considers the
different languages your employees speak and the
communication channel that is most effective with
their age group. For example, older employees
are more receptive to eLearning courses, whilst
younger employees are more receptive to
animation, graphics and interactive games.

Engaging content: Use a mix of media, such as

• 
videos, infographics, eLearning courses, webinars,
team activities and interactive games, to keep
employees engaged and interested.

• R
 egular training: Implement ongoing training
sessions to reinforce key concepts and adapt to
changing data protection risks. Cyber threats
are always changing. If your training stands
still, you leave your employees open to fresh,
emerging threats.

Bonjour! Hola! Salut! Ni Hao!

Multiple languages available.
All of our products are customisable and available, upon request, in over 15 languages
to maximise employee engagement and knowledge retention.

6c. The benefits of gamification

Gamification adds an element of excitement and
competition to data protection training.

Leaderboards and rewards: Implement

• 
leaderboards to showcase top-performing
employees and reward them for their efforts
in data protection training. Create a sense of
competition that encourages safer behaviours in
the entire workforce.

• S
 cenario-based training: Use gamified scenarios
to simulate real-life data protection situations,
allowing employees to make decisions and
learn from the outcomes. For example, our VR
cyber security game, Reality Check, simulates
a metaverse environment and the threats your
employees face. This is hands-on simulated
training that is hugely complimentary to
eLearning courses.

How to make an impact in your first 90 days as a new DPO? 13

TSC’s collection of games will change how your
employees learn

• Password Cracker
• Game of Cloud Security
• Workstation Security
• Classifications: High or Low
• Scam Survival
• Don’t take the (phishing) bait
• Spot the risks in the office, on the move and at
home
• ID badge identifier
• Strongest password
• Password challenge
• Ransomware Resistance
• Festive scams (Whack-an-elf)
• Cybermaze of threats
• Account hijacking (Snakes and Ladders)
• Authentication hacks
• Safety Net (data loss prevention)

6d. The importance of continual 6e. Measuring the effectiveness

training and reinforcement of training initiatives
Data protection training should be an ongoing process
to keep employees informed and aware of the latest
threats and best practices. Remember to update
training content as data protection laws and regulations
change or new threats emerge. You must also offer
refresher courses periodically to reinforce key data
protection principles and ensure knowledge retention.
Evaluating the impact of your data protection
training is essential to demonstrate the value of the
training program, pinpoint gaps and identify avenues
for improvement.
Knowledge assessments: Conduct pre-and post-
• 
training knowledge assessments (like TSC’s SABR
and Mini-SABR) to measure the effectiveness
of your training in improving employees’
understanding of data protection. Use these
assessments to find gaps in knowledge that can
be addressed in your follow-up campaign.

Feedback and surveys: Collect feedback from

• 
employees to gauge their satisfaction with
the training. This will help you identify which
communication channels they identify and engage
with.

• I ncident analysis: Analyse data breaches and

incidents to determine whether additional or
enhanced training could have mitigated the risks.

Incorporating effective communication and training

strategies will help ensure that your organisation
maintains a strong data protection culture.

How to make an impact in your first 90 days as a new DPO? 14

Final thoughts

7a. Identifying areas for

improvement and growth
Remember, the role of a DPO is not just about
fulfilling legal obligations; it’s about championing the
rights and privacy of individuals while safeguarding
your organisation’s reputation. As you progress in
your role, never lose sight of the impact you have on
protecting personal data and upholding the trust
placed in your organisation.

Remember to continuously learn, adapt, and improve

to ensure ongoing success as a DPO. Your dedication
to data protection will undoubtedly contribute to a
more secure and privacy-conscious future for your
organisation and its stakeholders. Best of luck on
your journey as a Data Protection Officer!

What our clients say:

“We are so impressed by the offering and services TSC has provided we are
working with them on more specific role-based eLearning to further develop our
specialist employees’ understanding of information security” Chris Mortlock, Specsavers

“The Security Company’s ability to deliver engaging content time and time again
has been invaluable in delivering this cyber security control for Reach plc, so
much so that we are now in our 3 year of working with TSC. When looking for
cyber security training and awareness material for your organisation, TSC is a
must.” Jat Chana, Reach plc

“TSC excels at understanding the client’s specific requirements and working

with the information provided. TSC provided an outstanding level of quality,
customer understanding, design implementation, and project management.
hey would be my first recommendation to anyone looking for professional
security awareness.” David Cowper, TT Electronics

How to make an impact in your first 90 days as a new DPO? 15

The Security Company:
Your trusted partner for
long-term success
Partnering with The Security Company provides you
with a trusted ally in achieving long-term success in
your security culture initiatives. With our expertise
and comprehensive range of services. The Security
Company can support you throughout your journey.

Here’s why we are the ideal partner:

E xtensive experience: Proven track record:

With years of experience in the cyber security The Security Company has a proven track record
industry, The Security Company has a deep of success, having assisted numerous global
understanding of the challenges organisations face organisations, from a variety of industries, in
in building a security-aware culture. We bring a transforming their security culture. We have received
wealth of knowledge and practical insights to guide accolades and recognition for our innovative approach
you through the process. and ability to drive positive behavioural change.

Tailored solutions: Comprehensive services:

The Security Company offers customisable solutions From security awareness training and
that cater to the unique needs and goals of your communication campaigns to board engagement
organisation. Whether you require engaging training and behavioural analysis, The Security Company
materials, effective communication strategies, or offers a wide range of services to support every
change management support, we can tailor our aspect of your security culture initiatives.
offerings to meet your specific requirements.

Partnering with The Security Company ensures that you have a dedicated partner committed to your
organisation’s long-term success in building a security-conscious culture.

www.thesecuritycompany.com @TSCPeopleSec @thesecurityco @thesecurityco

© The Security Company (International) Limited 2023. This document may be distributed internally within your organisation for educational purposes. It must not be copied, replicated, edited, or
distributed externally without the express permission of The Security Company (International) Limited.