A significant number of business decisions, irrespective of discipline, are marred by dilemmas. For data protection officers, dealing with dilemmas is part and parcel of the job.
Before diving into the dilemmas facing a DPO, consider the perspective of a consumer advocate. Essentially, a DPO is an advocate of the data subject. If, for example, you purchase a car, TV or children's toy, you have rights as a consumer — a return guarantee on faulty products and an assurance the product does not present a safety hazard.
The role of the consumer advocate is to ensure such rights are respected and responded to by the seller in an appropriate and timely manner. If there is a fault in a product that impacts the safety of the consumer, e.g., a safety hazard in a toy, the consumer advocate role becomes critical. The manufacturer or vendor must implement business processes to enable an upward flow of information concerning the deficit safety feature to the highest level in the organization and, where necessary, to the executive board. There must also be a supply chain tracking mechanism, such as product coding, to facilitate a product recall. The immediate financial impact of a product recall might be significant, but the strategic impact can be critical to the business's survival if the fault is not handled correctly.
In his book, "Managing the Human Factor of Information Security," David Lacey wrote, "Identifying the root causes of a failure is essential, but human factors such as avoidance of blame and wishful thinking often cloud our assessment of the underlying causes of an incident. Errors and oversights in design or operation are more likely to be the result of inadequate skills, training, testing or supervision, rather than the shortcomings of a single individual. People in the firing line are often heard to claim 'It's just an isolated incident,' or, 'It was a moment of madness.' But that's very rarely the case. Deeper probing of the events leading up to an incident will usually confirm that it was probably an incident just waiting to happen."
The dilemma facing a business following a personal data breach is generally clear-cut. Shall we be transparent and do what is right? Or shall we attempt a cover-up to minimize business risks? There is an added dimension, as some individuals may independently attempt to cover up their mistakes to protect their jobs or professional reputations. What should be a simple, straightforward choice, can, in practice, become a mush of what should be done versus what is done in reality.
The role of the DPO is to ensure there is zero or minimal risk of "harm to the rights and freedoms of the natural person." A natural person is any living individual from the moment of birth until death. When we talk about the "risk of harm," it need not be material. For example, it could be "harm" that might negatively impact an individual's mental health. And when you think about it, the mere fear of harm is enough to cause a negative mental health effect.
The DPO role has a scope of engagement concerning personal data, which is ubiquitous. The EU General Data Protection Regulation defines personal data as "any data linked directly or indirectly to a natural person." The human aspect further muddies the scope, especially when considering the most fundamental dilemma in privacy: "We want privacy for ourselves, but not for others," author David Brin wrote in his book "The Transparent Society."
A DPO's mandate is to protect data subjects from the risk of harm — harm that could result from the collection and use of personal data. The DPO role is often blurred when business risks fall into focus. So-called compliance, brand and reputation risks present dilemmas to the DPO, who can be dragged in multiple directions trying to please all stakeholders. If the DPO is not completely clear about their role, they could easily become confused and make incorrect assumptions.
Imagine we conclude there has probably been a personal data breach following an incident. Note the use of the term "personal data breach" here and not "data breach." A data breach can include any data of value to the organization, including intellectual property. But a personal data breach is specific to personal data. Also, note the use of "probably." Personal data may have been compromised, but we might not know for certain if it actually has. Articles 33 and 34 of the GDPR stipulate that such a breach — given certain conditions — must be reported to the data protection authority and the data subject.
The nature of the organization's business can make a difference in assumptions about the breach. If it is oil exploration or airplane design, it is likely intellectual property, which is out of the GDPR's scope, was the target. If the organization is a health care center, however, the target is more likely to be sensitive personal data and a personal data breach may have occurred.
The question of whether a personal data breach should be reported or not is marred by dilemmas. For example, a business sold physical security services to the private sector and cameras were installed in buildings and residential homes. Let's speculate a flaw in the camera firmware has been exploited, enabling the capture of video footage while the camera is in sleep mode and disabling the stream of data to the managed security service. Further imagine that this camera model has been on the market for more than a year.
The initial question is whether there has been a personal data breach. The second question is: If there has been a breach, what is the potential harm to the rights and freedoms of customers? The answers to these questions must be determined carefully and promptly. If there is a high risk of harm to the rights and freedoms of the customers, the breach must be reported to the supervisory authority within a 72-hour window and reported to the affected customers, as stipulated under Article 33 of the GDPR.
If a breach is determined, there are many dilemmas. How will it impact the value of the brand and reputation of the business? Is a recall of the cameras or a rush to push out a firmware fix required? Will customers be lost due to a loss of trust? Is it better to wait to report the incident after all the facts are known?
These dilemmas can often lead to a conflict between those focused on organizational risk and the DPO, whose primary concern is the data subject. Questions that fly across the room during these discussions will further muddy the direction and actions of the DPO, if they are not clear on their mandate.
The DPO must have the ability to communicate effectively — considering the human factor — with those charged with the decision to report or not. But, in any discussion, the DPO must jump with agility directly into the shoes of the data subject. From this perspective, they can assess the risks and present the arguments for and against reporting the breach. If the DPO's recommendation is to report, and the board decides otherwise, the DPO has still done their job. As long as the DPO has documented the process/steps leading to the final decision, they have done as much as can be expected to protect their charge, the data subject. Some DPOs may find this stressful and challenging because of the passion they hold for their job and its link to human rights.
Under Article 38(3) of the GDPR, the DPO cannot be dismissed or penalized for doing their job. A problem arises when the organization's culture is not akin to transparency and doing what is right, i.e., when the bottom line is simply profit. In such cases, the DPO can find their position untenable over a longer term. This surfaces as a symptom of an organization not compliant with GDPR internally, which may not be immediately visible externally, except for the high turnover of DPOs.
In my experience, although DPOs cannot be dismissed or penalized for doing their jobs, and are required to be given the tools and resources necessary to do it, there is, nonetheless, a pandemic of DPOs unable to operate effectively. The DPO could be far too embroiled in business politics and not clear on the scope of their assignment. They may not have a direct reporting line to the board, which hampers their ability to execute and communicate. The DPO could be external, and torn by the need to satisfy their customer versus the need to do what is right under the GDPR. Then, there are legally trained DPOs who cannot connect effectively with information technology, and IT-trained DPOs who reports to the legal function and experience a disconnect.
There is a bucketful of problems and dilemmas marring the effectiveness of the role of the DPO that cannot be solved. What is clear, however, is that the dysfunction is not a legal matter, but a human factor.
