The DPO challenges

Officer’, in the commercial sense – a holder of a senior post in a society, company or other organisation.

The European General Data Protection Regulation (GDPR) is clear. The Data Protection Officer (DPO) has a very important role to play. After all, why bother devoting three whole articles to the position? So, why do so many ‘appear’ to be failing at their jobs? A lack of respect? Perhaps. A lack of understanding – on both sides? Maybe.

First of all, a DPO is an officer

To many organisations, the role of DPO may be new, but the position of ‘officer’ shouldn’t be. The Chief Risk Officer is accountable for enabling and managing the effective governance of the risk management framework; the Chief Information Officer being responsible for enabling IT’s response to the organisation’s strategy; and so on.

In summary then, Articles 37, 38 & 39. DPOs assist the executive and senior management to monitor internal compliance, inform and advise on their data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and, also act as a contact point for data subjects and the supervisory authority.

The DPO must be independent, for example – the DPO cannot be instructed as to what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority.

The DPO must be an expert in data protection – in other words, expertise must be commensurate with the sensitivity, complexity and amount of data an organisation processes.

The DPO must be adequately resourced – whether it’s active support from senior management; sufficient time to fulfil duties; financial, infrastructural and personnel support; continuous training.

The importance of the role cannot be more obvious, right? Then why is it that two years on, some DPOs are disappointed in the way they’re being treated? They feel they get no respect; their views are taken lightly, and they’re expected to take full responsibility for the compliance journey. Some feel they were simply thrust into the role, while others bemoan their lack of training. And, the source of their frustration?

• CEO – “I simply don’t have the time right now; can you leave it with my PA”
• CIO – “don’t worry yourself, I’ve got IT security covered”
• CFO – “we haven’t budgeted for those risks”
• HR Director – “I’m afraid, we don’t have anyone else to perform the role”

The case of self-appointed DPOs

DPOs themselves are not entirely blameless. In the minority, definitely. But scary nonetheless to know that some weren’t even aware of the three articles while others had simply ‘appointed’ themselves as DPO – “…oops, I wasn’t aware that being IT Manager would generate a conflict”.

Recent decisions at some data protection authorities have perhaps, also added to uncertainty about which roles potentially generate conflicts of interest. Nevertheless, there is sufficient credible guidance out there supporting the articles. Take, for example, WP29’s Guidelines on DPO’s (WP243). It doesn’t get more comprehensive than that.

The recent lockdown may be partly responsible for bringing the DPO role into sharper focus, with some considering the possibility that an external DPO could present fewer risks than appointing internally. In a recent article, we discussed ways to improve data protection for remote employees. An effective DPO would almost certainly have already prepared the organisation for the new way of operating.

The decision to (or not to) appoint a DPO cannot be taken lightly. It requires a top-down approach, with management implementing and enforcing the relevant policies and appointing suitably qualified individuals, through to the DPOs themselves, not only understanding their responsibilities but also realising the extent and reach of their influence.