The rise of the Data Protection Officer
In the final months of preparation for GDPR, Europe witnessed the proliferation of a new work function.
All over Europe organisations were appointing data protection officers to ostensibly achieve compliance with the new regulation.
A lot of water has passed under the bridge since then. Organisations have now had the opportunity to work in a structured manner with data protection and have had the opportunity to experience what works and what could be improved.
At the same time, the business needs for more advanced data processing activities have increased significantly over the period. Where only a few organisations were involved in more advanced data processing activities in the years leading up to GDPR becoming enforceable, technologies such as artificial intelligence, machine learning and facial recognition have now become conventional technologies and are deployed by a number of organisations in various settings and for various purposes.
In the following article, I will examine the benefits of both roles, but I will also look at some of the challenges related to each of the roles and why these have impelled both Data Protection Officers and organisations to question what the ideal setup is for them. At the end of this article, I will share my views on what organisational setup that may be ideal for various types of organisations.
Data Protection Officer (DPO)
The appointment of a DPO needs to observe the requirements in GDPR art. 37-39 regarding reporting lines, no conflict of interest, qualifications, involvement, monitoring, reporting etc. Obviously, it is not a requirement for all organisations to appoint a DPO, but only for those that process data in scope of art 37(1) a-c.
EDPB guideline wp243 encourages that the DPO is extensively and directly involved in the assessment of processing activities of the organisation. The decision in case 18/2020 by the Belgian APD/GBA establishes that once appointed the DPO shall be duly and timely involved in all matters relating to the protection of personal data. For example, reducing the involvement of the DPO in the event of a personal data breach to merely informing the DPO of a decision after the incident will erode the function in breach of GDPR. Similarly, in case 41FR/2021 by the Luxembourgian CNPD it was found to be in breach of art 38(1) that the DPO was only being involved on an ad hoc basis in a few internal meetings and committees concerned with processing of personal data by the organisation rather than there being a defined rule or meeting frequency defining the involvement of the DPO .
It is imperative to keep in mind that the purpose of the DPO role as such is to act as the representative of the data subjects of which the organisation processes data. At the same time, the DPO cannot perform tasks relating to determining the purposes or means of the processing of personal data, cf. decision 07121-1/2021/577 by the Slovenian DPA. I have covered the important role of the DPO in several previous articles, which I refer to for further perusal.
Chief Privacy Officer (CPO)
The primary difference between the DPO and the CPO role is the possibility to represent the organisation’s data processing interests and participate actively in developing solutions for the data processing needs of the organisation. In practice, this will mean that the CPO will have the possibility to engage with internal stakeholders on the design of the solution, be the data protection expert “of the organisation”, and thereby take an active role in providing arguments and proposals for how the organisation can justify and explain data processing activities.
The CPO role may not necessarily be labelled CPO. Some organisations may use different designations, such as Data Protection Lead, Privacy Counsel etc. What the different job titles have in common is that they refer to a role organised in the 1st line of defence of the organisation and are directly involved in the handling and solutioning of data protection matters.
Constraints to the involvement of the DPO
The DPO cannot be expected to take on the role as the advocate for the organisation’s right to process data in more demanding or marginal types of data processing. The organisation will need to respect the requirements of the GDPR and the limitations it entails for the role.
In practice this will mean, that the DPO cannot be asked by the organisation to provide proposals for or acceptance of data processing practices. The organisation will remain accountable for its decisions regarding data processing and the DPO cannot be part of the decision to accept and commence a specific processing activity. This should however not be interpreted as a general limitation for the DPO to be involved actively in the assessment of and provision of guidance regarding specific processing activities. This type of involvement is both critical for an effective privacy management programme and the overall compliance of the organisation.
In reality this means, that there are constraints which need to be observed regarding the tasks the DPO can be expected to perform on behalf of the organisation.
Deciding on the right data protection setup
Whether your organisation needs a DPO, a CPO or both depends on 1) the size of your organisation, and 2) the nature of your processing activities.
GDPR immediately provides guidance on when a DPO shall be appointed, i.e. where the processing activities are a) carried out by a public authority, b) require regular and systematic monitoring of data subjects on a large scale, or c) consist of processing on a large scale of special categories of data.
However, for a number of smaller organisations subject to these requirements, it may be difficult to appoint a full-time DPO. In addition, and in particular for smaller organisations involved in more advanced data processing activities, there will often be a separate demand for more operational data protection support, e.g., negotiation of data processing agreements, data protection guidance on development of new services etc.
Similarly, B2B organisations that produce non-digital products, may only process personal data related to their employees and a few business relations to a limited extent. Just like these types of organisations are not required to appoint a DPO, it would also make little operational sense to allocate a full-time resource to data protection matters.
Conversely, at the other range of the spectrum you will find organisations that have increased their size, maturity and organisatonal complexity. Even B2B organisations that have exceeded a certain threshold of employees, may find that their organisational complexity, and more advanced measures to manage employees warrant one or more full-time data protection resource(s).
The question is then when and who the organisation should appoint to support the different functions on data protection matters.
When to designate as data protection point of contact
Less than 250 employees
Generally, for smaller organisations that are not involved in advanced data processing, it will not be necessary to have a specialised data protection resource appointed. It does not make sense to simply name someone in the organisation as “data protection champion” if that person does not have neither the knowledge nor interest in data protection. Instead, this type of organisation should rely on ad hoc external advice if they occasionally encounter a data protection question.
If the smaller organisation is indeed involved in advanced data processing activities and therefore is required to appoint a DPO, it will most often make most sense for the organisation to appoint a part-time external DPO and instead rely on the internal lawyer/legal team, to support the organisation on day-to-day operational data protection matters.
250 to 999 employees
Organisations that have achieved a certain size and are involved in standard data processing activities relating to employees and customers will frequently encounter the need for internal data protection expertise to guide and support the organisation in various matters. The extent of the work will most often be at a scale where it does not require a full-time position to manage the workload. Hence, the data protection support will often be best provided by a resource located in the legal team that has gone through some upskilling or specialisation within data protection.
This situation changes when the organisation is involved in more advanced data processing activities. This will often be the case for smaller organisations where their core services are based on advanced data processing capabilities. In this situation, the organisation will face a prominent and recurring need for internal clarification of data protection matters. In this situation, all organisational circumstances and needs warrant the appointment of a full-time data protection resource. This does however not necessarily mean that the full-time resource should be a DPO. Most often, the real time-consuming tasks will be related to the development, design, testing and approval of new services. Hence, a DPO – with its constraints – may not be the full-time role that the organisation needs. Instead, it will make sense for the organisation to appoint a CPO and rely on the appointment of an internal or external part-time DPO.
1000 to 4999 employees
For larger organisations with more complex organisational structure and a higher number of business processes, it will be necessary to have a dedicated data protection resource appointed. Even for larger organisations with limited data processing needs, the mandatory maintenance of the RoPA and the recurring need for entering into DPAs with a number of external parties for various business needs, will require expert knowledge of data protection requirements within the organisation. For larger organisations with standard data processing needs, the appointment of a full-time CPO that can actively assist the organisation in day-to-day data protection matters will be the right choice to ensure close support to the organisation.
Where the larger organisation is involved in advanced data processing activities, e.g., telecom, banking, insurance, or pharma, it will be relevant to appoint both a full-time CPO and a full-time DPO. The CPO should always be an internal resource that on a day-to-day basis can work closely with the various business functions of the organisation. If the DPO is an internal or external resource depends on the frequency and extent of the processing activities.
Massive organisations will – due to their sheer size and number of employees – process data extensively. In addition, all trends and developments indicate that even less data dependent organisations and industries will have to adopt new and more advanced data processing capabilities to be able to meet business (e.g., employee management) and customer demands in the future.
For all types of organisations in this category, this warrants a full-time dedicated resource to internally drive awareness of and compliance with data protection requirements.
It is critical that organisations assign responsibility and ownership for the development of a strong data protection foundation. Due to the constraints of the DPO role, that onus cannot be put on that function. And the CPO will therefore be the right choice to own and drive the development of this. However, the importance of the DPO in organisations should not be underestimated. Even for organisations of this size, the DPO will play a critical role in ensuring the effectiveness of business processes and providing guidance and advice on how the organisation can best mitigate the risks for data subjects that the processing activities of the organisation may entail.
Organisational placement of the DPO and CPO
One topic that often comes up regarding the two roles is, where the roles should be organised.
Obviously, the requirements in GDPR and the subsequent decisions by various Supervisory Authorities put certain restrictions on how and where the DPO can be organised.
In case 41FR/2021 by the Luxembourgian CNPD, the existence of several hierarchical intermediaries between the DPO and the highest level of management of the company, was in breach of art. 38(3). The consequence of this organisational setup was that the DPO could not directly report to the highest management level of the company and did not have a sufficient degree of autonomy and independence to decide on when and how this reporting should take place.
Smaller and most medium-sized organisations will often find it challenging to establish an independent DPO role that reports directly to the executive management of the organisation. On the other hand, once organisations grow larger, they will often see the need to establish other similar functions, e.g., compliance and internal audit, that have direct reporting lines to either the executive management or board of directors. Where internal committees have been established to receive recurring reporting from functions – other than the DPO – it will typically be easier to establish a direct reporting line for the DPO.
It is however possible to solve the reporting line requirement of the GDPR by other means. The DPO can be placed within several organisational functions such as Legal, Compliance and even Security, as long as: 1) there is a clear mandate that establishes the rights and independence of the DPO, and 2) that the DPO – as mentioned above – is not involved in tasks relating to determining the purposes or means of the processing of personal data. See for example case 56/2021 by the Belgian APD/GBA where the supervisory authority decided that there was no conflict of interest between the function of the DPO and that of a non-operational chief information security officer.
With regards to the CPO there is much more flexibility for the organisation to decide how the role should be organised. With the role being more operationally focused, you will often see the Chief Privacy Officer report to the 1) the General Counsel, 2) the CEO or Corporate Affairs Officer or 3) the Head of Compliance. It will vary depending on the existing organisational split of responsibility from organisation to organisation, and the tasks that will make up the key components of the role of the CPO, where the role is best organised.
Where the role is mostly expected to be involved in day-to-day advise and counselling around operational data protection matters, it may make most sense to organise the role in the legal function. If the role is expected to take a more prominent role in raising awareness, training of the organisation and development of governance, it may make more sense to place the role with compliance. In case data processing is a fundamental part of the core activities of the organisation, and customer trust in the data processing activities of the organisation is critical for the long-term success of the organisation, it may make most sense for the CPO to report to the CEO or the Corporate Affairs Officer. IAPP’s 2021 Annual Privacy Governance Report shows that 30% of “Privacy Leaders” report to the General Counsel, 18% to the CEO and 16% to the Chief Compliance Officer.
It is my prediction, that the new requirements that once enacted will follow from the Data Governance Act, the Digital Services Act, the Digital Markets Act and the AI Act, will further accentuate the need for the reconsideration of the data protection setup within a number of organisations. As requirements get more specific and complex, the need for close sparring with the data protection experts of the organisation will increase. While both the CPO’s and DPO’s participation in these future discussions will be critical, the organisations need to be mindful that the CPO and DPO fulfil two important but also very different roles.