The EU’s General Data Protection Regulation Data Protection Officer (GDPR DPO) role has been specifically crafted. Before the GDPR, Data Protection Officers (DPOs) existed because of a range of national laws, guidance and best practice. Globally, related roles such as Chief Privacy Officers, Privacy Officers, Heads of Data Protection, Data Protection Lead Counsels, Data Guardians and Data Governance Leads have also developed. However, GDPR DPOs have a clearer legal mandate, function and licence to operate. For the largest companies and organisations, subject to several data protection laws, they must decide how much the GDPR DPO role will influence the overall structure and substance of their global data privacy programmes. The danger is that the fundamental and unique elements of the GDPR DPO role can become trapped in governance systems that prioritise uniformity, efficiency, base-level interoperability and the lowest common denominator. It is important that the GDPR DPO role remains distinct, effective, influential and accountable.
Benefits and Risks: Appointing and Not Appointing a GDPR DPO
Not all businesses and organisations are legally required to appoint GDPR DPOs. Before GDPR, most DPOs were regarded as good practice appointments, where there was no clear legal duty to do so. This practice has continued through GDPR implementation. The GDPR is clear that both Data Controllers and Data Processors should appoint GDPR DPOs, in line with the law. Broadly, all public authorities and non-judicial public bodies must appoint GDPR DPOs. They are also legally required where any organisation regularly and systematically monitors individuals on a large scale or carries out large-scale processing of special categories of personal data or criminal offences data. Most organisations, especially larger ones, fall within these two latter categories. Where the law requires a GDPR DPO, one must be appointed, or risk breaching the GDPR. DPO appointments also encourage data governance accountability.
Questions arise for small Data Processors or the Data Controllers that do not meet the GDPR DPO threshold tests. Should they appoint a GDPR-type DPO? If they do so, should the DPO be fully GDPR-compliant, or can the organisation create its own unique DPO role? European Data Protection Board (EDPB) Guidance states that if organisations adopt a GDPR DPO, even where they are not legally obliged to do so, that DPO will be judged against the full legal requirements of GDPR. Choosing not to have an identifiable GDPR DPO is also risky. The organisation will lack capacity to build and mature data protection programmes. Working with larger data-intensive organisations, liaising with GDPR regulators, responding to data breaches and keeping up to date with data protection, cybersecurity and good practice changes, will also be more difficult.
Managing Great Expectations
The GDPR DPO can be an internal employed member of staff or an external appointment. The office holder must be well qualified, well resourced, independent and act independently. They may fulfil another role in their organisation but must avoid conflicts of interest. For example, they must not make specific data processing decisions and then provide assurance or GDPR compliance sign-off for that data processing activity. They must act autonomously and cooperate with the GDPR regulator. They must have tangible influence by reporting to the highest level of management. Conversely, they must also be accessible and contactable by staff inside the organisation, external individuals, external stakeholders and GDPR regulators. They must also not be disciplined, removed or suffer other detriment because of performing their role and duties.
The GDPR DPO’s baseline outputs are to inform and advise. They must monitor compliance, which includes involvement in promoting awareness training, assigning responsibilities and audits. The GDPR DPO should provide advice for Data Protection Impact Assessments (DPIAs). They must cooperate with and act as the point of contact for the GDPR regulator. Although not an explicit legal requirement, GDPR regulators expect DPOs to be involved in offering information and advice on decisions to report data breaches to the regulators and to individuals affected. GDPR DPOs are not responsible for GDPR compliance; this always remains the legal responsibility of the Data Controller or Data Processor.
DPOs in Reality: Details Matter
Despite the clear legal requirements, regulatory guidance and established best practice, some businesses and organisations have kept legacy data governance structures and pre-GDPR DPO reporting lines. Much of this may be a result of corporate or organisational inertia. For other organisations, whose business models prefer low or no regulation, the GDPR DPO role can often be minimised or an external law firm is used to provide legal advice from time to time. No organisational or culture change in data governance is anticipated. The GDPR DPO requirement challenges organisation power-centres and leadership cliques. It requires boards to work closely with a board outsider, who is legally obliged to act independently and respond to an external regulator, if and as required. It also challenges business cultures that regard regulatory compliance as interfering, anti-innovation and bureaucratic, because the GDPR DPO must monitor compliance and report to the highest level of management. Often, in these organisations, the selected DPO is a middle-manager with limited influence, little direct budget and few resources. The DPO is not seen as a coveted role for inward or outward career progression. The DPO is located far from senior leadership and the centres of power. The GDPR DPO role is also a challenge to organisations that are opaque, siloed and do not actively promote transparency and accountability.
In some organisations, the DPO is seen as an arms-length advisor, a person to go to for an opinion. DPOs are only permitted to become involved in a matter after business and data-use decisions have been finalised and their role is to offer a view, for the record, which may not influence on the decisions already made. The aim, in these organisations, is to evidence that they have an established process for DPO involvement. Data Protection by Design and Default as well as high quality iterative Data Protection Impact Assessments (DPIAs) are rare and the ones completed are often superficial. In some organisations, a very senior person with an existing substantial role is appointed as the DPO. The real work is done by a far more junior Data Protection Manager and a small team. This senior person does not have the expertise, proximity to the data processing or the ability to spot data protection issues and so other senior employees see data protection as a non-demanding adjunct activity. For other businesses, using external or outsourced DPOs can be an effective way of freeing data governance from corporate apathy, internal factions and to ensure a level of detached independent expert analysis. The challenge for these organisations is to agree enough funding for these services and to provide effective internal support systems for the external or outsourced DPO. High quality internal access by the DPO to fully understand the organisation and to ensure that the DPO’s outputs are respected and actioned, are vital for this approach to be effective.
What the GDPR Regulators say about DPOs
The EU’s data protection regulators have started to investigate and enforce the GDPR DPO requirements. They have restated and emphasised the legal duties and issued fines to businesses and organisations that have not met the legal requirements of the role. Most of the enforcement decisions have been in Belgium, Germany, Spain, Greece, Luxembourg and Austria and were about the failure to appoint DPOs. In 2020, the Belgian Data Protection Authority, Autorité de protection des données Gegevensbeschermingsautoriteit (APD-GBA), fined a company for its DPO’s lack of independence because the DPO had other roles in the organisation. There was no system to prevent conflicts of interest and the DPO was not sufficiently involved in the processing of personal data breaches.
In a series of cases in 2021, the Luxembourg Data Protection Authority, Commission Nationale pour la Protection des Données (CNPD), issued fines against five companies for DPOs not reporting to the highest level of the organisation (two levels of hierarchy were in between), insufficient resources to fulfil the role and not including the DPO in all data processing matters. CNPD also fined an organisation for not properly training the DPO so that they could independently and properly advise and inform the organisation. They also found that a DPO lacked enough autonomy. CNPD found common themes, such as Data Controllers not having control plans to ensure that the DPO’s duties were being properly performed.
The legal position on the role of the GDPR DPO is clear. Data Controllers and Data Processors cannot argue lack of knowledge, unclear legal interpretation or uncertainty, when their DPOs and other GDPR accountability and transparency efforts are judged and put to the test.
PrivacySolved offers External and Special Projects Data Protection Officers, as well as Data Protection Officer as a Service (DPOaaS). We also offer international businesses and organisations EU and UK Data Protection Representative Services. Contact PrivacySolved:
Telephone: +44 (0) 207 175 9771 (London)
Telephone: +353 1 960 9370 (Dublin)