News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | DPO dilemmas a 'human factor'  Related reading: EDPB launches coordinated enforcement on role of DPOs

rss_feed

""

A significant number of business decisions, irrespective of discipline, are marred by dilemmas. For data protection officers, dealing with dilemmas is part and parcel of the job.

Before diving into the dilemmas facing a DPO, consider the perspective of a consumer advocate. Essentially, a DPO is an advocate of the data subject. If, for example, you purchase a car, TV or children's toy, you have rights as a consumer — a return guarantee on faulty products and an assurance the product does not present a safety hazard.

The role of the consumer advocate is to ensure such rights are respected and responded to by the seller in an appropriate and timely manner. If there is a fault in a product that impacts the safety of the consumer, e.g., a safety hazard in a toy, the consumer advocate role becomes critical. The manufacturer or vendor must implement business processes to enable an upward flow of information concerning the deficit safety feature to the highest level in the organization and, where necessary, to the executive board. There must also be a supply chain tracking mechanism, such as product coding, to facilitate a product recall. The immediate financial impact of a product recall might be significant, but the strategic impact can be critical to the business's survival if the fault is not handled correctly.

In his book, "Managing the Human Factor of Information Security," David Lacey wrote, "Identifying the root causes of a failure is essential, but human factors such as avoidance of blame and wishful thinking often cloud our assessment of the underlying causes of an incident. Errors and oversights in design or operation are more likely to be the result of inadequate skills, training, testing or supervision, rather than the shortcomings of a single individual. People in the firing line are often heard to claim 'It's just an isolated incident,' or, 'It was a moment of madness.' But that's very rarely the case. Deeper probing of the events leading up to an incident will usually confirm that it was probably an incident just waiting to happen."

The dilemma facing a business following a personal data breach is generally clear-cut. Shall we be transparent and do what is right? Or shall we attempt a cover-up to minimize business risks? There is an added dimension, as some individuals may independently attempt to cover up their mistakes to protect their jobs or professional reputations. What should be a simple, straightforward choice, can, in practice, become a mush of what should be done versus what is done in reality.

The role of the DPO is to ensure there is zero or minimal risk of "harm to the rights and freedoms of the natural person." A natural person is any living individual from the moment of birth until death. When we talk about the "risk of harm," it need not be material. For example, it could be "harm" that might negatively impact an individual's mental health. And when you think about it, the mere fear of harm is enough to cause a negative mental health effect.

The DPO role has a scope of engagement concerning personal data, which is ubiquitous. The EU General Data Protection Regulation defines personal data as "any data linked directly or indirectly to a natural person." The human aspect further muddies the scope, especially when considering the most fundamental dilemma in privacy: "We want privacy for ourselves, but not for others," author David Brin wrote in his book "The Transparent Society."

A DPO's mandate is to protect data subjects from the risk of harm — harm that could result from the collection and use of personal data. The DPO role is often blurred when business risks fall into focus. So-called compliance, brand and reputation risks present dilemmas to the DPO, who can be dragged in multiple directions trying to please all stakeholders. If the DPO is not completely clear about their role, they could easily become confused and make incorrect assumptions.

Imagine we conclude there has probably been a personal data breach following an incident. Note the use of the term "personal data breach" here and not "data breach." A data breach can include any data of value to the organization, including intellectual property. But a personal data breach is specific to personal data. Also, note the use of "probably." Personal data may have been compromised, but we might not know for certain if it actually has. Articles 33 and 34 of the GDPR stipulate that such a breach — given certain conditions — must be reported to the data protection authority and the data subject.

The nature of the organization's business can make a difference in assumptions about the breach. If it is oil exploration or airplane design, it is likely intellectual property, which is out of the GDPR's scope, was the target. If the organization is a health care center, however, the target is more likely to be sensitive personal data and a personal data breach may have occurred.

The question of whether a personal data breach should be reported or not is marred by dilemmas. For example, a business sold physical security services to the private sector and cameras were installed in buildings and residential homes. Let's speculate a flaw in the camera firmware has been exploited, enabling the capture of video footage while the camera is in sleep mode and disabling the stream of data to the managed security service. Further imagine that this camera model has been on the market for more than a year.

The initial question is whether there has been a personal data breach. The second question is: If there has been a breach, what is the potential harm to the rights and freedoms of customers? The answers to these questions must be determined carefully and promptly. If there is a high risk of harm to the rights and freedoms of the customers, the breach must be reported to the supervisory authority within a 72-hour window and reported to the affected customers, as stipulated under Article 33 of the GDPR.

If a breach is determined, there are many dilemmas. How will it impact the value of the brand and reputation of the business? Is a recall of the cameras or a rush to push out a firmware fix required? Will customers be lost due to a loss of trust? Is it better to wait to report the incident after all the facts are known?

These dilemmas can often lead to a conflict between those focused on organizational risk and the DPO, whose primary concern is the data subject. Questions that fly across the room during these discussions will further muddy the direction and actions of the DPO, if they are not clear on their mandate.

The DPO must have the ability to communicate effectively — considering the human factor — with those charged with the decision to report or not. But, in any discussion, the DPO must jump with agility directly into the shoes of the data subject. From this perspective, they can assess the risks and present the arguments for and against reporting the breach. If the DPO's recommendation is to report, and the board decides otherwise, the DPO has still done their job. As long as the DPO has documented the process/steps leading to the final decision, they have done as much as can be expected to protect their charge, the data subject. Some DPOs may find this stressful and challenging because of the passion they hold for their job and its link to human rights.

Under Article 38(3) of the GDPR, the DPO cannot be dismissed or penalized for doing their job. A problem arises when the organization's culture is not akin to transparency and doing what is right, i.e., when the bottom line is simply profit. In such cases, the DPO can find their position untenable over a longer term. This surfaces as a symptom of an organization not compliant with GDPR internally, which may not be immediately visible externally, except for the high turnover of DPOs. 

In my experience, although DPOs cannot be dismissed or penalized for doing their jobs, and are required to be given the tools and resources necessary to do it, there is, nonetheless, a pandemic of DPOs unable to operate effectively. The DPO could be far too embroiled in business politics and not clear on the scope of their assignment. They may not have a direct reporting line to the board, which hampers their ability to execute and communicate. The DPO could be external, and torn by the need to satisfy their customer versus the need to do what is right under the GDPR. Then, there are legally trained DPOs who cannot connect effectively with information technology, and IT-trained DPOs who reports to the legal function and experience a disconnect.

There is a bucketful of problems and dilemmas marring the effectiveness of the role of the DPO that cannot be solved. What is clear, however, is that the dysfunction is not a legal matter, but a human factor.

DPO Handbook: Data Protection Officers Under the GDPR, 2nd Edition

DPO Handbook: Data Protection Officers Under the GDPR, Second Edition provides a comprehensive view of all aspects of the role of Data Protection Officers (DPOs) under the EU’s General Data Protection Regulation (GDPR), starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset.

View Here

 


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Karen Lawrence, CIPP/E, CIPM, CIPT IAPP Member Contributor
Tags
Infosecurity
Privacy Operations Management
Privacy Opinion
5 Comments

If you want to comment on this post, you need to login.

  • comment Robert Baugh • Jun 6, 2023 
    Thank you for the interesting article on the dilemmas DPOs face. While I agree with the commercial bind that DPOs (and in-house lawyers) can find themselves in in these situations, I'm afraid I do disagree with the descriptions of the DPO role, and believe these descriptions can increase the DPO's dilemmas without need. 

GDPR (Art 39) gives this mandate to DPOs, and this alone: advise the controller or processor on compliance with GDPR and other relevant EU/MS DP laws, monitor that compliance, advise where requested on DPIAs, and cooperate with and be the contact point for supervisory authorities. 

- A DPO is not "an advocate of the data subject". While this is often said, it has no basis in GDPR and places a very different emphasis on the DPO's role.
- The DPO's role is not "to ensure there is zero or minimal risk of "harm to the rights and freedoms of the natural person."" GDPR does not place this duty on the DPO, nor on the controller or processor. In the same vein, a DPO's mandate is not "to protect data subjects from the risk of harm — harm that could result from the collection and use of personal data." One of GDPR's two overall aims is indeed to protect data subjects from harm, but that's not a GDPR-specified task for the DPO. There may well be a risk of harm above minimal. 
- On the same basis, a DPO's "primary concern" is not the data subject and data subjects aren't the DPO's "charge". Much like a lawyer advising a client, the controller/processor is the DPO's charge and their primary concern is the compliance of the controller/processor with GDPR and other relevant EU/MS DP laws.

I do agree with the article on the very real dilemmas DPOs face. I've been a GC and that's a similar internal advisory role that often has to fight being seen as the person who says no. But I do think, in particular, that the often stated view of a DPO as a data subject's advocate is not set out in GDPR and pushes the DPO unnecessarily into more dilemmas.
  • comment Roy Kamp • Jun 7, 2023 
    I agree with Robert's comments below.
While there may, in some instances, be a dilemma for the DPO, it is clear that they DPO is there to be provide guidance and advice to the organisation to ensure that the organisation is acting in a compliant manner - see for example the DPIA templates issued by the supervisory authorities that require the DPO to be consulted.
Having said that, the DPO's advice can be ignored by the organisation. I have always taken the view that it is a balancing act but you do need to find a workable solution within the requirements of the GDPR. To the extent the organisation disagrees with the DPO's advice or position, the DPO's responsibility ceases when they have documented their advice and position to the organisation. Ultimately, it is then a decision for the organisation to balance the risks of a given activity.

One final point needs to be said about the independence of the DPO. There has been sufficient guidance on this topic and several supervisory authority decisions that should provide DPO's with comfort (and perhaps more importantly) clarity on the expectations.
  • comment Manu Seth • Jun 10, 2023 
    While the article is enlightening for sure, the question boils down to whether the opinion of the DPO is binding upon the organization if his role is limited to ensuring compliance with reference to GDPR.
  • comment Karen Lawrence • Jun 12, 2023 
    Hi guys, great Comments and I see where you are coming from, of course, and super cool when there is a debate. The main thread of the article is on dilemmas faced by the DPO, and on ‘dilemmas’  we seem to have agreement :)

To expand on the legal technical details. 
It is clear what is stipulated in the GDPR, and this article does not intend to deviate from that, but reach an audience beyond those who are actually operating in the shoes of the DPO and/or the legal office, bring to life articles 37-39 beyond the legal text.  What is clear to a legal guy is not equally clear to an IT or business guy, and conversely, what is obvious to an IT/security guy may not transcend to a level understood by a majority of legal guys as it stands today.  The fact remains is that we all need to work together to address a common cause, i.e. compliance with GDPR, and in a manner which is understood by all.
  • comment Karen Lawrence • Jun 14, 2023 
    I just received a call from a legal friend of mine (who is not able to comment here), but he said that I should append to my Comment, that one should not forget Article 1 of the GDPR which states that the purpose of the Regulation is to protect fundamental rights and freedoms of natural persons.
Related Stories
EDPB launches coordinated enforcement on role of DPOs
1
Data protection officers could be "solicited" by their data protection authority in the "weeks and months to come" as part of the European Data Protection Board’s freshly launched 2023 coordinated enforcement action, Deputy Head of the EDPB Secretariat Gwendal Le Grand told DPOs at the IAPP Data Pro...
Read More queue Save This
CJEU issues ruling on DPOs and conflict of interest
Data protection officers can maintain other tasks and duties within their role, if they do not result in a conflict of interest, the Court of Justice of the European Union has affirmed. In a Feb. 9 ruling centered around Article 38 of the EU General Data Protection Regulation, the CJEU stated DPOs ...
Read More queue Save This
DPO Handbook: Data Protection Officers Under the GDPR, 2nd Edition

DPO Handbook: Data Protection Officers Under the GDPR, Second Edition provides a comprehensive view of all aspects of the role of Data Protection Officers (DPOs) under the EU’s General Data Protection Regulation (GDPR), starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset.

View Here

 

Related Stories
Tags
Infosecurity
Privacy Operations Management
Privacy Opinion
Recent Comments