1 “This is not what I signed up for”
The tale of Uriah the Hittite tells a story about a soldier that was abandoned by his fellow soldiers. Still he fought valiantly until he eventually had to succumb to the approaching enemy forces. The story resembles the feeling many DPOs today have about their role after the GDPR programs have been shut down. They are expected to manage the demanding role as DPO, while feeling under siege.
During my recent talks with DPOs, I have increasingly heard about the challenging conditions that some of them are facing. This notion was further substantiated last week, when the Danish DPO association launched a [dis-]satisfaction survey among its members, due to increasing frustration over their work conditions.
Based on what I hear, the challenges can be categorised into the following buckets:
- Opposition from the rest of the organisation,
- Massive and increasing workload,
- The independence of the DPO being challenged,
- Lacking management support to change the current situation.
The role of the DPO is an important component of the data protection regime in Europe. If the challenges turn out to be more systemic across corporations in Europe, DPOs should not have to resolve matters individually. Instead, authorities will need to take an active role in improving the conditions for DPOs by providing clear guidance on practical matters, and through enforcement of cases of infringement. In the paragraphs that follow, I will share my thoughts on how the DPO -hopefully- can deal with these challenges him / herself.
2 What the regulation says
Before going into a discussion of the issues, I will briefly outline what the Regulation says in Arts. 38 and 39 about the role of the DPO. General guidance on the role of the DPO is also available in the Guideline 243 from EDPB. In addition, separate guidance has been issued by a number of authorities, e.g. ICO, Danish Data Protection Authority.
In a nutshell: In certain situations, cf. art 37, it is mandatory for companies and organisations to designate a DPO. Some of those situations are e.g. being a public authority or monitoring individuals systematically and on a large scale as a core activity.
The DPO should strive to ensure compliance with data protection legislation and enable a free flow of personal data for the organisation, while protecting the privacy of individuals through interpretation and implementation of data protection laws and practices.
Article 38 of the GDPR requires that the controller and the processor shall ensure that the DPO is ‘involved, properly and in a timely manner, in all issues which relate to the protection of personal data’.
Article 38(3) establishes some basic guarantees to help ensure that DPO can perform his/her tasks with a sufficient degree of autonomy: companies are required to ensure that their DPOs are not instructed in the performance of their tasks and should make the DPO report directly to the highest management level.
This means that, in fulfilling their tasks under Article 39, DPOs must not be instructed how to deal with a matter, for example, what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority. Furthermore, they must not be instructed to take a certain view of an issue related to data protection law, for example, a particular interpretation of the law.European Data Protection Board
The guidance from European Data Protection Board states that if the controller or processor make decisions that are incompatible with the DPO’s advice, the DPO should be given the possibility to make his or her dissenting opinion clear to the highest management level and to those making the decisions. However, this does not mean that the DPO has decision-making powers extending beyond their tasks pursuant to Article 39. The organisation is therefore also not bound by the advice or position of the DPO.
Furthermore, the DPO does not have decision power on legal risk. This mandate typically lies with legal function of the organisation, who may decide and is also not bound to follow the advice of the DPO. However, WP243 states that:
The opinion of the DPO must always be given due weight. In case of disagreement, the WP29 recommends, as good practice, to document the reasons for not following the DPO’s advice.
2.1 The DPO’s role in impact assessment and interpretation of data protection laws
Article 38 of the GDPR provides that the controller and the processor shall ensure that the DPO is ‘involved, properly and in a timely manner, in all issues which relate to the protection of personal data’.
In relation to data protection impact assessments (DPIA), the GDPR provides for the early involvement of the DPO and specifies in Article 35(2) that the controller shall seek the advice of the DPO when carrying out such impact assessments. WP243 states that ‘if the controller disagrees with the advice provided by the DPO, the DPIA documentation should specifically justify in writing why the advice has not been taken into account’. Furthermore, Article 36 requires the controller to consult the data protection authority through the DPO prior to processing where the DPIA indicates there is unmitigated high risk.
3 So, what does this mean in practice?
Good privacy management stems from good privacy governance implemented in practice. If the independence of DPO is something that only exists in the paper documents of the organisation, but the fact is that a) the advice of the DPO is not welcome, b) that the DPO is not being involved in all relevant processes or c) that the DPO is being asked to change her/his recommendations, then this constitutes a significant weakness and possibly a breach of GDPR.
Senior management needs to support building the privacy culture of the organisation not only by making available the resources necessary, cf. GDPR art 38, to carry out the required tasks, but also through supporting the DPO in carrying out her/his tasks. This entails listening and taking action based on the sometimes inconvenient account from the DPO on the status of the organisational privacy maturity.
3.1 How to deal with the matters
3.1.1 Opposition from the rest of the organisation
Opposition from the rest of the organisation towards privacy work typically stems from 3 grounds. Lack of support from executive management to privacy work, unclear roles and responsibilities and inadequate tools.
If the executive management has not been clear in their communication of the importance of strong privacy practices towards the entire organisation, it can be difficult for the average employee that is not involved directly in data protection work on a daily basis to understand the importance of the sometimes tedious tasks that need to be carried out. It is critical that the senior management sends a clear tone from the top and devotes time and effort to stress the importance of a sound privacy culture.
Another reason for opposition can be the lack of well-defined roles and clear assignment of responsibilities. In many organisations, there is still room for improvement when it comes to designing the organisation that is required to maintain documentation of data processing activities and to carry out the required assessments and tasks.
When an employee is suddenly faced with a privacy related task that has not been prioritised by management or formally assigned to him/her through governance, the natural reaction in a busy business environment is to push back. The DPO will experience this as a rejection or even opposition to the work that needs to be done. Consequently, it is critical that every organisation takes time to consider the roles in the organisation to carry out all relevant tasks on both strategic, tactical and operational level. Until clear roles are defined, and responsibility is assigned to existing roles on who needs to do what by when, the DPO will continue to struggle to get buy-in.
The third reason that the DPO may struggle with opposition is because of outdated and inefficient tools. Many organisations still rely on excel sheets and word templates – in best case located centrally on a SharePoint site. This setup makes it practically impossible for the DPO to delegate work in an efficient manner, and allows for only limited tailoring to the specific situation. The recipient in the organisation will therefore experience the interaction with the DPO as rigid and overburdening. Lots of good tools are available in the market today, and the DPO should have access to the best of them to make it as easy for the organisation to support the DPO.
3.1.2 Unsurmountable workload
The reason for the workload challenge typically stems from ineffective organisational design, lack of resources and lack of availability of adequate tools.
Once again, the lack of efficient organisational design is the culprit when it comes to making the work for the DPO difficult. In many organisations the DPO has ended up being the workhorse for the entire corporation. The DPO has to maintain the records of processing activities, draft data processing agreements, conduct DPIAs, ensure implementation of technical capabilities, train employees and monitor the implementation of privacy practices. In other words, the DPO has ended up being an operational resource required to carry out the tasks, that ideally should be carried out by those responsible for the processing activities. Bear in mind that Article 39 of GDPR only states that the DPO shall inform and advice but not carry out the actual operational work.
This challenge is the result of ineffective organisational design, where the responsibility to carry out the tasks listed above has not been assigned to the relevant resources. As a consequence, and based on a misunderstood perception of the role of the DPO, the organisation expects the DPO to manage all operational matters relating to privacy work. Instead, the DPO should operate on a tactical level, and train and provide advice to the resources that are required to do the work on an operational level.
The lack of resources does not necessarily mean that there needs to be more resources in the central privacy function. Instead, the resources on the operational level responsible for the daily privacy related work need to have time allocated for their tasks, e.g. maintaining the RoPA, carry out pre-PIAs, conduct DPIAs etc. However, only few organisations did consider the impact of GDPR on an operational level and allocated time for privacy related tasks to resources outside of the privacy function. Thus, it is important that the operational resources that are supposed to carry out daily tasks are allocated time to do so. Also, the responsibility to do these tasks needs to be clearly assigned to them. This will take away some of the workload from the DPO and free up time for other critical tasks.
Lastly and once again, the access to state-of-the-art tools is critical for the DPO to be able to carry out his/her tasks. The DPO needs to be able to assign tasks to the resources that are supposed to execute them. The DPO needs as much support from the systems and tools that he/she can possibly get through automation and intelligent systems. Sharepoint, Word and Excel are not ways to efficiently manage privacy. I am sorry to say it, but those who say they are, don’t know what they are talking about and what the alternatives have to offer.
3.1.3 The independence of the DPO is being challenged
The threat to the independence of the DPO is a graver matter and ultimately one that may require external involvement if the DPO repeatedly is blocked from presenting her/his views to the senior management. I have read how management on some occasions have tried to change the reports of the DPOs on the status of implementation of privacy, and objected to certain conclusions made by the DPO on risks and legality of processing.
This is challenging for the DPO and in direct conflict with the intent to have the DPO as an independent body inside the organisation ensuring sound data protection practices. Also, the conflict with senior management and the pressure to change his/her position may have psychological implications in the form of stress and low work satisfaction.
Clearly, the intention of the executive management to assert themselves against the opinion of the DPO and request the DPO to change position, is in direct conflict with the intention to have an independent DPO to begin with, and consequently a problem that needs to be resolved once and for all.
My experience is, that the problem often is caused by two things. The first being a misunderstanding by the senior management of the role of the DPO, the second a – sometimes – unyielding position by the DPO making it difficult to find a way forward.
I have seen that senior management often tend to look at the DPO as almost an extension of their legal function. They therefore often expect the DPO to find legal arguments that could allow for “grey-zone” data processing activities and are astounded when the DPO instead is raising concerns. The best way to deal with this issue is to have a discussion on the role of the DPO before any conflict arises. Having an informal sit-down with senior management, where the DPO can have the opportunity to explain to the management the benefits of having an independent privacy function (Ensures solutions that build customer trust and meet customer expectations, assess and mitigate risks, ensure checks and balance, produce documentation (meet accountability requirements) etc.) is beneficial for all parties.
However, the DPO also needs to understand that he/she is part of an organisation that is dependent on the knowledge and advice of the DPO as the subject matter expert. I therefore also believe that the DPO has an obligation to actively seek solutions that strike the right balance between solving the issue at hand for the organisation and mitigating the risk for the data subject.
It is easy for a DPO to say ‘no’ and always ask for more with regards to security and protection of data, but the real value for both the organisation and the data subject is where the DPO can assist in finding solutions that appropriately mitigate the risks of the data processing activity and reduce them to an acceptable level. If the DPO can position him/herself on a recurring basis as a problem-solver and not just a problem-finder, then it is likely that the DPO will receive overwhelming support from the rest of the organisation.
3.1.4 Lacking management support to change current organisation of work
The last challenges that DPOs are facing is the resistance from management to make the necessary changes to address the situation of the DPO. The main reason for this reluctance is that sometimes the management is lacking the full understanding of both the risks and the missed opportunities that the inefficient privacy setup entails.
In many organisations, the GDPR activities have been managed as a compliance project, just like anti-competition, money laundering, Sarbanes-Oxley and anti-corruption programs have been managed historically. However, the privacy domain represents an entirely different and much more market-oriented exercise. Processing of data is something that companies are heavily dependent on. On the contrary, corruption and money laundering are activities that companies want to avoid.
The role of privacy cannot be approached merely as a compliance activity. It needs to be considered from a market perspective. It needs to be considered from a service development perspective. It needs to be considered from an organisational perspective. It requires consideration of significant financial, market, technological and risk implications to fully address its impact. This needs to be discussed on a strategic level with the senior management. To facilitate this discussion the DPO needs to prepare for an executive discussion on the ambition level for privacy, considering both the current and future need for data, and the risk appetite and privacy ambition level of the company.
4 In conclusion
DPOs need senior management to help them succeed in their roles. Where the situation has already deteriorated due to misalignment between the management and the DPO, it may be necessary to ask for external support to mend the dents. White Label Consultancy can offer to facilitate the dialogue based on our experience from engaging with senior management on privacy matters in a number of organisations.
Where the dialogue is still good between senior management and the DPO, the DPO can help her/himself by raising the following issues with senior management:
1) Prioritisation of awareness around the importance of strong privacy practices
2) Importance of efficient organisational design allowing the DPO to take a more tactical role
3) Clear assignment of operational tasks to relevant resources in the organisation
4) Informing about the benefits of having access to the right tools to manage privacy
5) Have a discussion on a strategic level considering a wide array of implications, including defining ambition level for privacy management. If the management decides on a low maturity level, the controller (management) accepts the accountability.
6) Make management understand the benefits of having an independent DPO. An effective setup will allow the DPO to detect risks that would otherwise go unnoticed.
On the other hand, the DPO should be mindful to:
7) Make the discussion general and not conflict based
8) Use your expertise to find solutions to the challenges that the organisation is facing. Help your organisation see opportunities and explore new ways forward based on your expert knowledge.