While the data protection officer role is required by the EU's General Data Protection Regulation, how to operationalize the role is up for debate.
The EU General Data Protection Regulation imposed an obligation on organizations covered by the law to appoint a data protection officer. That meant a whole lot of job creation. In fact, a 2018 survey by the International Association of Privacy Professionals found that 28,000 DPOs would be needed in Europe and 75,000 worldwide, and job-platform Joblift found postings for DPOs starting popping up everywhere.
Organizations must hire a DPO if "its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals." The role’s function is to verify the company’s compliance with the GDPR and to be the connection between data subject, regulator and C-suite. The role serves as the liaison between data subjects (anyone the organization collects data on) and the organization’s main supervisory authority. It monitors the company's data processing and carries out data protection impact assessments.
Essentially, the DPO must balance the company’s appetite for data with its customers’ privacy rights.
Some DPOs, or those who’d assume the new position, understandably feared being seen as a a “whistleblower,” a company tattle-tale. But as Irish Data Protection Commissioner Helen Dixon said in discussing the relationship between DPO and regulator, that’s not the case. Rather, the role is essential to a company’s primary regulator because it makes “the resources of the DPA more scaleable, because the DPO is now the interface with members of the public who want to raise complaints.”
The DPO is to report to the board of directors, i.e. the highest tear of management. The data controller — the DPO’s boss — isn’t to dictate how the DPO does its job. And the GDPR affords certain protections; the DPO can’t be dismissed as a result of doing its job, even if saying “no” to management means there’s a conflict of interest. It’s not a simple role, however. That's in part because an organization can choose to appoint someone internally, or hire an external DPO. There are pros and cons to both, but under the law, the DPO is expected to be “independent” in its guidance.
Though the GDPR is prescriptive on what a DPO should or shouldn’t do, how it functions can vary greatly from one organization to the next.
John Bowman, senior principal at Promontory Financial Group, was the U.K. government’s lead negotiator on the GDPR. He said the role can be “quite challenging” in some cases.
“A company might decide it will focus on carrying out data protection impact assessments and promulgating a culture of data protection and privacy across the organization,” Bowman said. “But then others may spend their time dealing with everything privacy-related, including complaints, that come to their inbox, which means that there is less chance to focus on culture or strategy. There’s no one-size-fits-all when it comes to DPO, because although the GDPR is quite prescriptive in the things a DPO should and shouldn’t do, in reality, it has to fit around the organization that’s already there.”
Regardless of how an organization structures the job, the mandate that DPOs act independently carries with it an inherent tension. If the DPO is employed by company X and charged with assisting it with comply with the GDPR, as well as cooperate with data protection authorities, can the DPO truly act without feeling pressure to bend if company X— the one providing the DPO’s paycheck — wants to implement processes that could be risky to its compliance? Could you really work next door to CEO Friendly Bob and ensure your decisions about what Bob can and can’t do will truly be independent? Wouldn’t you feel a natural sense of obligation to the hand that feeds you?
In a 2020 case, the Belgian Data Protection Authority fined an organization for appointing its head of compliance, audit and risk management as DPO. The DPA said the roles were a conflict of interest and violated the GDPR.
That’s why many say the role must be external to the company. There are services that offer DPO as a service now, among other options, and some say a DPO that doesn’t have a sense of loyalty to the company is a surer bet to act objectively.
Bowman acknowledged the ongoing debate as to whether a DPO should be internal or external.
“It depends on the individual and the personalities as to whether they can walk that diplomatic tightrope,” Bowman said. “They don’t want to be Mr. or Mrs. No. They want the business to succeed as well, but I think you have to sell it that in order to succeed, they need to be compliant.”
Rita Heimes, chief privacy officer at the IAPP but formerly its DPO, said it can be a complicated role because there’s not always a clear answer on what to do. While there’s increasingly guidance from European regulators on the role of the DPO, there are plenty of instances in which there is no road map or precedence.
Heimes served as the IAPP’s internal DPO and said there clear benefits.
“The huge advantage to the inside role is the personal relationships you have with the people who have to implement the decision,” she said, because whether the role is internal or external, the DPO will spend the majority of its time reading the applicable laws and the operational guidance on them. They’re not spending their time building the consent form a user will click for access to a white paper, for example.
“You know that person, you know the marketing person or team that wants to use that form in that particular instance. You know the people trying to do web analytics and what they’re struggling with, and you can work with them without the clock running to problem solve. So that’s super healthy and great to have people to have those internal discussions with.”
Having said that, there are plenty of times Heimes wished she'd had access to consult with an external DPO, especially a European DPO, who undoubtedly thinks about privacy within the European context and the laws comprising European values and norms.
In addition, external DPOs, ostensibly providing the service to a number of organizations, have a bird’s-eye view the internal DPO can’t.
“They see what all of their clients do to solve problems, so just like outside counsel, have a view across multiple clients. And that in itself is sort of a data set,” Heimes said.
Though organizations continue to grapple with how to hire and structure the role, Bowman sees is as a change in organizational mindset that will take time. He compared the maturation of the DPO role to modern health and safety requirements. When he started work, everyone smoked cigarettes in the office. Now, that seems “incredible,” and people realize a safe work environment is a necessity. But that mental shift took decades.
“I think the job is still evolving really, and I’m not sure if a consensus has been arrived at as far as what the DPO role is,” he said. “I think it’s a cultural shift really, and that cultural shift is not mature yet. It’s got a number of years to go.”