The role attributed to the data protection officer is one manifestation of the accountability principle of the General Data Protection Regulation. As such, the GDPR requires that the DPO exercises its functions independently and that he or she “shall directly report to the highest management level,” (Art. 38(3)).
The regulation does not provide any guidance on the type of reporting line that needs to be established in order to satisfy this requirement. Nor have the Article 29 Working Party or data protection authorities.
Organizations are therefore free to set up things as they see fit and can easily adapt the requirement to their hierarchical structure. Having had some guidance would have nevertheless helped them get this right and ensure that the DPO is adequately positioned.
Sarah Taïeb, the Global DPO of Ipsen, a leading biopharmaceutical group, wished to fully advise her management on the best reporting line for her from the moment she would be officially appointed as DPO in May 2018. She thus decided to look into what was said by authorities and the “professional doctrine."
She realized that there were two main approaches to the subject: a reporting line to the company’s board or a reporting to lower management functions.
Below is an overview of her findings, along with the analysis she made for her own organization.
The promotion of the DPO during the legislative process: looking for the ratio legis
Article 38(3) of the GDPR underwent several changes during the legislative procedure. Earlier drafts of the GDPR foresaw in a more general meaning a reporting to the “management” or the “executive management."
In the initial draft of the Commission, dated January 25, 2012, Article 36(2) was supposed to set a reporting structure in a very global manner that “[t]he data protection officer shall directly report to the management of the controller or the processor," without giving any specification on the management level. The problem of a potential conflict of interest resulting out of a reporting line situated on too low a level in the company’s hierarchy was not addressed.
A step towards a more distinct separation of competences was made in the draft of the GDPR adopted by the European Parliament on March 12, 2014. Article 36(2) had been amended and then provided that: “The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the executive management of the controller or the processor.” The independence of the DPO was provided for in the drafting document of the European Parliament through the obligation of company to designate “for this purpose [of reporting] […] an executive management member who shall be responsible for the compliance with the provisions of this Regulation.”
These two different visions finally merged in the Council’s draft, known as the “general approach," adopted on June 15, 2015, and remained unchanged in this regard in the further versions of the text. The reference to the executive management was replaced by a rather abstract reference to the “highest management level” in Article 38(3). Compared to the previous versions of the text, this reporting line as included in the revised version of the GDPR strengthened the position the DPO and stressed the importance of data protection issues within the organizational hierarchy of those companies required to appoint a DPO. In the words of Rupert Casey, partner at MacFarlanes, “[t]his reporting structure is the regulatory means of instilling the need for key stakeholders to take data privacy seriously, and to push this issue up the corporate agenda as far as all of the other competing compliance and regulatory issues.”
Hence, one question is how this shift from the “executive management” in the previous drafts and the “highest management level” as finally enacted must be understood and taken into account in practice when deciding of the DPO’s reporting line.
A corporate vision on the “highest management level”
As the GDPR does not provide any definition of the “highest management level," gaining an understanding of the difference between “executive management” and the “highest management level” in corporate language might enable to interpret the change of the wording on the reporting line underwent during the legislative process.
In corporate language, “executive management” is a global term that includes the senior management level, but also lower management levels.
The “highest management level,” on the contrary, may designate the board of directors as well as the “highest executive, or senior management," meaning the positions of chairman, managing directors, executive directors, executive VP and the so-called “C-level” management (chief executive officer, chief financial officer, chief operating officer, chief information officer), the so-called “executive board," with day-to-day responsibilities and specific executive powers.
Regarding the question of the intention by the European legislator when introducing the requirement of reporting “to the highest management level," one possible understanding is that the shift between the previous draft versions and the Council’s draft stresses the importance to set data privacy issues at a high level within a company’s hierarchy.
Another way of interpreting this change could be to see it as a real watershed between both versions. In that sense, “the highest management level” would refer to the board of directors.
In his book on "The Data Protection Officer," Paul Lambert seems to suggest the first interpretation and to see a continuity between the different drafts. According to Lambert, reporting to the “highest management level” corresponds to “requiring senior management involvement," what would give sufficient independence to the DPO and guarantee that decisions of the DPO could not be compromised by inferior management functions without necessity to report directly to a company’s board.
An important distinction on that subject is made by Paul Voigt and Axel von dem Bussche, Partners at Taylor Wessing Germany, in their manual on "The EU General Data Protection Regulation," where they insist on the ability to report to the highest management level when necessary in the case of significant data protection matters, but no clear obligation to report on routine matters to the highest management.
The reporting line of the DPO according to data protection authorities and advisory organizations
The UK data protection authority, the ICO, seems, at first glance, to adopt a straight position on that matter, stating that the highest level of management would have to be translated by the “board level." Nevertheless, in its commentary, the ICO specifies that “[t]his doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.”
The position adopted by the WP29 is less clear-cut as it suggests that the reporting line to the “highest management level” should be understood as “ensur[ing] that senior management (e.g. board of directors) is aware of the DPO’s advice and recommendation” by means of, amongst others, the drafting of an annual report.
The WP29 awareness approach seems to be shared by the Confederation of European Data Protection Organizations, which stated that what was required is: “to link DPOs to the highest management level (such as to the board or to the board member)” with a DPO having “direct and unfiltered access to the top management” and a “respective board or board member [that] is acting as function and administrative supervisor."
Multiple perspectives provided by experts
Legal experts translate the requirement of reporting to the “highest management level” into different reporting architectures.
Notable data privacy lawyers suggest a direct reporting line to the CEO or the board, such as Tim Wybitul, partner at Hogan Lovells, in his manual, or Stephanie Creed, senior associate at Taylor Wessing. However, in some cases, it might not be quite clear whether the reference made to the “board” should be translated by executive board or board of directors. A clear opinion for a reporting line to the CEO or the board is put forward by the law firm Norton Rose where the necessity of board support for the DPO on raising data privacy issues is highlighted. Accordingly, a reporting to the board could be understood as the necessary consequence of the hierarchical support scheme outlined for achieving compliance. In the same way, the clear statement for a reporting line to the “C-level” is made by Winston Maxwell, partner at Hogan Lovells, with reference to the competence of “the CEO or chief operating officer who controls the collection and use of personal data or processes the data at a controller’s direction."
Likewise, in a non-representative survey by the IAPP on the “DPO under GDPR," a clear majority of the respondents agreed that the DPO in their organization report to the board (“highest level in their organization”), with only a small percent not having this type of reporting line.
With a slightly more nuanced vision on how to achieve compliance to the requirement of Article 38(3), Anita Bapat and James Henderson of Hunton & Williams vote in favor of an indirect reporting line to the board and indicate that, in practice, this is likely to mean that the DPO “will need to report into the board of the organisation, most likely via the organisation’s chief compliance officer or chief legal officer."
Even a less high-level reporting line could be a convenient solution, according to lawyers at Bristows. In order to ensure the DPO’s independence the requirement could be met where “the DPO report[s] to senior-level management."
Eduardo Ustaran, co-director of the global Privacy and Cybersecurity practice of Hogan Lovells, raises the concern that, in an organizational perspective, the DPO is “unlikely to have direct access to the CEO or the Board." For Ustaran, “[w]hat really matters is that the DPO has sufficient top management buy-in to be able to influence compliance decisions. Therefore, as long as the DPO has that influence — even if they are one or two levels below someone who really has access to the CEO or Board — the requirement will be met in practice.”
(In)direct reporting to the board: It all depends on the company’s size and internal organization
Considering the range of opinions on how to comply with the requirement of Article 38(3), a direct reporting to the company’s general counsel/head of legal or chief compliance officer (as the data protection compliance effort generally lies with either legal or compliance), may be an efficient and sufficient solution. This person reports to the board level and is situated on a sufficient high level to guarantee efficient support to the DPO.
The decision of which reporting line to adopt in a company is likely to depend also on the company’s size, by taking into consideration that the reporting line should not produce any conflict of interest and to a function being able to provide sufficient support to the DPO. Nevertheless, and as most of the positions set out above refer to a reporting to the top management, the board or the CEO, whether directly or indirectly, reporting to a function not directly connected to the Board or the CEO may not fit with the spirit of the GDPR.
This view is closest to Ustaran’s pragmatic view, who sees the DPO reporting line as being flexible and adapted to the organization’s structure while preserving the DPO’s independence.
This is the view promoted by Sarah Taïeb within the Ipsen organization. It was decided that she would report to the group’s executive vice president and general Counsel, François Garnier, who directly reports to the Ipsen Executive Leadership Team, where he can relay the relevant information with respect to data privacy.
All in all, no matter who the DPO reports to, it is his or her own responsibility and mission to make himself or herself visible at all levels within the organization and ensuring that his or her manager, whoever it is, proactively supports the data protection compliance effort required by the GDPR.
If you want to comment on this post, you need to login.