What is a Data Protection Officer (DPO)?
A Data Protection Officer (DPO) is an independently appointed individual to an organisation whose primary aim is to assist the organisation in complying with its data protection obligations. The DPO can either be an individual already working for the organisation or an external appointee. However, and particularly in the context of an in-house DPO with a dual role, it is crucial that organisations remain cognizant of potential conflicts of interest. While a DPO is not strictly mandated in every organisation, under the General Data Protection Regulations (GDPR) there are a number of instances where a DPO must be appointed. Article 37(1) (a-c) of the GDPR states that a DPO is legally required:
- When the processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
- The core activities of the controller or processor consist of processing operations which by virtue of their nature, scope, and their purposes require regular or systematic monitoring of data subjects on a large scale.
- The core activities of the controller or processor consist of processing special categories of personal data, outlined in Article 9 of the GDPR, on a large scale.
With that said, those organisations falling outside the above scope and who opt to appoint a DPO on a voluntary basis often benefit from a competitive advantage as they are generally less susceptible to data breaches, which helps sustain and generate profits while also strengthening their brand image.
What are the Duties of a DPO?
When appointing a DPO, Article 37(4) of the GDPR requires that the DPO possesses expert knowledge of data protection law and has the ability to fulfil obligations outlined in Article 39 of the GDPR. Article 39(1) (a-e) outlines the bare minimum duties that must be conducted by a DPO. The DPO must:
- Inform and advise the controller or processor and their employees of their obligations under the GDPR.
- Monitor compliance with the law, with other Union or Member State data protection provisions, and with the policies of the controller or processor in relation to the protection of personal data including the assignment of responsibilities, awareness-raising and training of staff involved in processing.
- Advise and assist in the conducting of data protection impact assessments and monitor its performance in accordance with Article 35.
- Cooperate with the supervisory authority.
- To act as the point of contact for the supervisory authority on issues relating to processing.
Obstacles Hindering DPO Activities
In an ideal world, it would be common practice that data subjects would provide their personal data to a company to receive a service, in return their data would then only be used for a specific purpose and then would be either disposed of appropriately or protected in a manner where it is not subjected to any mistreatment. Unfortunately, data breaches, undisclosed data sharing, and negligent data protection practices are often too prevalent in today’s society. The ever evolving data protection landscape means DPOs are now subjected to a wide variety of challenges that interfere with their day-to-day tasks and hinder them in fulfilling their Article 39 obligations. While in no way exhaustive, the below highlights some of the more prominent items.
Challenge 1: Lack of ‘Buy-in’ from Senior Management
Arguably, one of the greatest struggles that DPOs face in organisations is that they often struggle to receive sufficient endorsement or support from top-level management. In all aspects of life, change can instil feelings of uncertainty, insecurity, or resistance. Where DPOs are afforded insufficient deference or employees witness management resist or oppose any changes to the organisation’s processing activities proposed by the DPO, this impinges the organisation’s uptake of best practice approaches and stagnation ensues. Unlike other business activities, such as marketing, where change often results in clearly demonstrable benefit such as increased engagement and profit, the data protection unit of a business is more centred towards slow growth. It can be difficult for the DPO to communicate the importance of complying with the GDPR to organisations as there is no instant pay-off for compliance that is comparable to a successful marketing campaign which would amount to an immediate shift in sales. If an organisation has not been subject to a data breach by result of the techniques and policies that currently exist within the organisation, it can be extremely difficult to change the culture that exists throughout the company. For more information on securing investment from C-Suite check out the video below:
Challenge 2: Lack of Employee Data Protection Knowledge and Training
In many instances, the only exposure employees have to data protection or the GDPR is during their induction training at the beginning of their employment. Unfortunately, such vital information is often given to employees at the same time they are trying to learn their day-to-day tasks and familiarise themselves with the company. Therefore, most companies’ data protection training is treated as just another one-off ticked box on a checklist without any merit behind it. This can often lead to a lack of organisational harmonisation as departments within the same organisation may be unaware of how personal data is used by other departments. If employees are not frequently reminded of the importance of adhering to data protection policies at work, the odds of an avoidable data breach coming to fruition increase drastically. Where staff are not adequately trained to recognise an incoming subject access request, spot a phishing or cyberattack attempt, or recognise the potential need to conduct a Data Protection Impact Assessment (DPIA), this may jeopardise the personal data under the organisation’s stewardship and result in the DPO having to advise the company on how to retrospectively address these issues. Having a structured data protection training program in place is imperative to ensure your organisation is free from any possible data protection risks associated with staff error.
Challenge 3: Lack of Organisational Resources
One potential burden on companies to be GDPR compliant is that compliance often involves making changes to the current business model. This may result in accompanying increased costs as processing methods (such as storage) may need to be changed. Moreover, if an organisation lacks the capability to perform tasks internally, they may need to outsource certain activities which may also lead to increased expenditure. Many organisations opt to gain assistance in conducting a DPIA or a data protection gap analysis (DPGA). If internal resources are scarce, it can be difficult for a DPO to encourage the company to avail of these services and, thus, increase compliance with the legislation. By result, the DPO must be in a position to succinctly communicate the future benefits that the organisation may experience as GDPR compliance increases their brand reputation.
Challenge 4: Poor Risk Management
Another challenge to DPOs attempting to assist in an organisation’s GDPR compliance is that there is often an incomplete, or inadequate, data protection risk register. A risk register tracks potential risks within a project. Where the organisation lacks an adequate defined risk register, it becomes increasingly more difficult for the DPO to advise the organisation with regard to their GDPR compliance as they may not have the required underlying information to make appropriate and effective suggestions to assist in mitigation. This may then lead to data breaches that the DPO may have been able to identify were they given the opportunity. Consequently, the DPO may then need to spend valuable time assisting in the aftermath of avoidable data breaches rather than analysing the risk register for any possible breaches that they could help the company avoid.
Challenge 5: 3rd Party Transfers
Data has been described as ‘the new oil’. Therefore, it is no surprise that there has been an increase in data sharing and transfers. As there is not one data protection regime on a global scale, the role of a DPO is vital in assisting in 3rd party transfers between organisations. New developments such as Brexit have added to the complexity of this role. DPOs are now faced with challenges such as international companies with different privacy laws, the location of any sub-processors, and determining the appropriateness of data processor agreements (DPAs) that exist or need to be implemented between the parties. DPOs can also be presented with such challenges as a lack of due diligence conducted by the organisation in relation to the level of GDPR compliance shown by the third parties with whom they share data with. This may place the organisation in a risky position as data breaches may occur if the 3rd party is negligent.
Evidently, DPOs face a wide variety of challenges. It is also clear to see that an overarching issue that exists in this area is that data protection officers can become subjected to an insurmountable workload. This can add a great deal of pressure on the individual which stems from organisational negligence with regard to their data protection obligations.