TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout



A significant number of business decisions, irrespective of discipline, are marred by dilemmas. For data protection officers, dealing with dilemmas is part and parcel of the job.

Before diving into the dilemmas facing a DPO, consider the perspective of a consumer advocate. Essentially, a DPO is an advocate of the data subject. If, for example, you purchase a car, TV or children's toy, you have rights as a consumer — a return guarantee on faulty products and an assurance the product does not present a safety hazard.

The role of the consumer advocate is to ensure such rights are respected and responded to by the seller in an appropriate and timely manner. If there is a fault in a product that impacts the safety of the consumer, e.g., a safety hazard in a toy, the consumer advocate role becomes critical. The manufacturer or vendor must implement business processes to enable an upward flow of information concerning the deficit safety feature to the highest level in the organization and, where necessary, to the executive board. There must also be a supply chain tracking mechanism, such as product coding, to facilitate a product recall. The immediate financial impact of a product recall might be significant, but the strategic impact can be critical to the business's survival if the fault is not handled correctly.

In his book, "Managing the Human Factor of Information Security," David Lacey wrote, "Identifying the root causes of a failure is essential, but human factors such as avoidance of blame and wishful thinking often cloud our assessment of the underlying causes of an incident. Errors and oversights in design or operation are more likely to be the result of inadequate skills, training, testing or supervision, rather than the shortcomings of a single individual. People in the firing line are often heard to claim 'It's just an isolated incident,' or, 'It was a moment of madness.' But that's very rarely the case. Deeper probing of the events leading up to an incident will usually confirm that it was probably an incident just waiting to happen."

The dilemma facing a business following a personal data breach is generally clear-cut. Shall we be transparent and do what is right? Or shall we attempt a cover-up to minimize business risks? There is an added dimension, as some individuals may independently attempt to cover up their mistakes to protect their jobs or professional reputations. What should be a simple, straightforward choice, can, in practice, become a mush of what should be done versus what is done in reality.

The role of the DPO is to ensure there is zero or minimal risk of "harm to the rights and freedoms of the natural person." A natural person is any living individual from the moment of birth until death. When we talk about the "risk of harm," it need not be material. For example, it could be "harm" that might negatively impact an individual's mental health. And when you think about it, the mere fear of harm is enough to cause a negative mental health effect.

The DPO role has a scope of engagement concerning personal data, which is ubiquitous. The EU General Data Protection Regulation defines personal data as "any data linked directly or indirectly to a natural person." The human aspect further muddies the scope, especially when considering the most fundamental dilemma in privacy: "We want privacy for ourselves, but not for others," author David Brin wrote in his book "The Transparent Society."

A DPO's mandate is to protect data subjects from the risk of harm — harm that could result from the collection and use of personal data. The DPO role is often blurred when business risks fall into focus. So-called compliance, brand and reputation risks present dilemmas to the DPO, who can be dragged in multiple directions trying to please all stakeholders. If the DPO is not completely clear about their role, they could easily become confused and make incorrect assumptions.

Imagine we conclude there has probably been a personal data breach following an incident. Note the use of the term "personal data breach" here and not "data breach." A data breach can include any data of value to the organization, including intellectual property. But a personal data breach is specific to personal data. Also, note the use of "probably." Personal data may have been compromised, but we might not know for certain if it actually has. Articles 33 and 34 of the GDPR stipulate that such a breach — given certain conditions — must be reported to the data protection authority and the data subject.

The nature of the organization's business can make a difference in assumptions about the breach. If it is oil exploration or airplane design, it is likely intellectual property, which is out of the GDPR's scope, was the target. If the organization is a health care center, however, the target is more likely to be sensitive personal data and a personal data breach may have occurred.

The question of whether a personal data breach should be reported or not is marred by dilemmas. For example, a business sold physical security services to the private sector and cameras were installed in buildings and residential homes. Let's speculate a flaw in the camera firmware has been exploited, enabling the capture of video footage while the camera is in sleep mode and disabling the stream of data to the managed security service. Further imagine that this camera model has been on the market for more than a year.

The initial question is whether there has been a personal data breach. The second question is: If there has been a breach, what is the potential harm to the rights and freedoms of customers? The answers to these questions must be determined carefully and promptly. If there is a high risk of harm to the rights and freedoms of the customers, the breach must be reported to the supervisory authority within a 72-hour window and reported to the affected customers, as stipulated under Article 33 of the GDPR.

If a breach is determined, there are many dilemmas. How will it impact the value of the brand and reputation of the business? Is a recall of the cameras or a rush to push out a firmware fix required? Will customers be lost due to a loss of trust? Is it better to wait to report the incident after all the facts are known?

These dilemmas can often lead to a conflict between those focused on organizational risk and the DPO, whose primary concern is the data subject. Questions that fly across the room during these discussions will further muddy the direction and actions of the DPO, if they are not clear on their mandate.

The DPO must have the ability to communicate effectively — considering the human factor — with those charged with the decision to report or not. But, in any discussion, the DPO must jump with agility directly into the shoes of the data subject. From this perspective, they can assess the risks and present the arguments for and against reporting the breach. If the DPO's recommendation is to report, and the board decides otherwise, the DPO has still done their job. As long as the DPO has documented the process/steps leading to the final decision, they have done as much as can be expected to protect their charge, the data subject. Some DPOs may find this stressful and challenging because of the passion they hold for their job and its link to human rights.

Under Article 38(3) of the GDPR, the DPO cannot be dismissed or penalized for doing their job. A problem arises when the organization's culture is not akin to transparency and doing what is right, i.e., when the bottom line is simply profit. In such cases, the DPO can find their position untenable over a longer term. This surfaces as a symptom of an organization not compliant with GDPR internally, which may not be immediately visible externally, except for the high turnover of DPOs. 

In my experience, although DPOs cannot be dismissed or penalized for doing their jobs, and are required to be given the tools and resources necessary to do it, there is, nonetheless, a pandemic of DPOs unable to operate effectively. The DPO could be far too embroiled in business politics and not clear on the scope of their assignment. They may not have a direct reporting line to the board, which hampers their ability to execute and communicate. The DPO could be external, and torn by the need to satisfy their customer versus the need to do what is right under the GDPR. Then, there are legally trained DPOs who cannot connect effectively with information technology, and IT-trained DPOs who reports to the legal function and experience a disconnect.

There is a bucketful of problems and dilemmas marring the effectiveness of the role of the DPO that cannot be solved. What is clear, however, is that the dysfunction is not a legal matter, but a human factor.

DPO Handbook: Data Protection Officers Under the GDPR, 2nd Edition

DPO Handbook: Data Protection Officers Under the GDPR, Second Edition provides a comprehensive view of all aspects of the role of Data Protection Officers (DPOs) under the EU’s General Data Protection Regulation (GDPR), starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset.

View Here


Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.

  • comment Robert Baugh • Jun 6, 2023
    Thank you for the interesting article on the dilemmas DPOs face. While I agree with the commercial bind that DPOs (and in-house lawyers) can find themselves in in these situations, I'm afraid I do disagree with the descriptions of the DPO role, and believe these descriptions can increase the DPO's dilemmas without need. 
    GDPR (Art 39) gives this mandate to DPOs, and this alone: advise the controller or processor on compliance with GDPR and other relevant EU/MS DP laws, monitor that compliance, advise where requested on DPIAs, and cooperate with and be the contact point for supervisory authorities. 
    - A DPO is not "an advocate of the data subject". While this is often said, it has no basis in GDPR and places a very different emphasis on the DPO's role.
    - The DPO's role is not "to ensure there is zero or minimal risk of "harm to the rights and freedoms of the natural person."" GDPR does not place this duty on the DPO, nor on the controller or processor. In the same vein, a DPO's mandate is not "to protect data subjects from the risk of harm — harm that could result from the collection and use of personal data." One of GDPR's two overall aims is indeed to protect data subjects from harm, but that's not a GDPR-specified task for the DPO. There may well be a risk of harm above minimal. 
    - On the same basis, a DPO's "primary concern" is not the data subject and data subjects aren't the DPO's "charge". Much like a lawyer advising a client, the controller/processor is the DPO's charge and their primary concern is the compliance of the controller/processor with GDPR and other relevant EU/MS DP laws.
    I do agree with the article on the very real dilemmas DPOs face. I've been a GC and that's a similar internal advisory role that often has to fight being seen as the person who says no. But I do think, in particular, that the often stated view of a DPO as a data subject's advocate is not set out in GDPR and pushes the DPO unnecessarily into more dilemmas.
  • comment Roy Kamp • Jun 7, 2023
    I agree with Robert's comments below.
    While there may, in some instances, be a dilemma for the DPO, it is clear that they DPO is there to be provide guidance and advice to the organisation to ensure that the organisation is acting in a compliant manner - see for example the DPIA templates issued by the supervisory authorities that require the DPO to be consulted.
    Having said that, the DPO's advice can be ignored by the organisation. I have always taken the view that it is a balancing act but you do need to find a workable solution within the requirements of the GDPR. To the extent the organisation disagrees with the DPO's advice or position, the DPO's responsibility ceases when they have documented their advice and position to the organisation. Ultimately, it is then a decision for the organisation to balance the risks of a given activity.
    One final point needs to be said about the independence of the DPO. There has been sufficient guidance on this topic and several supervisory authority decisions that should provide DPO's with comfort (and perhaps more importantly) clarity on the expectations.
  • comment Manu Seth • Jun 10, 2023
    While the article is enlightening for sure, the question boils down to whether the opinion of the DPO is binding upon the organization if his role is limited to ensuring compliance with reference to GDPR.
  • comment Karen Lawrence • Jun 12, 2023
    Hi guys, great Comments and I see where you are coming from, of course, and super cool when there is a debate. The main thread of the article is on dilemmas faced by the DPO, and on ‘dilemmas’  we seem to have agreement :)
    To expand on the legal technical details. 
    It is clear what is stipulated in the GDPR, and this article does not intend to deviate from that, but reach an audience beyond those who are actually operating in the shoes of the DPO and/or the legal office, bring to life articles 37-39 beyond the legal text.  What is clear to a legal guy is not equally clear to an IT or business guy, and conversely, what is obvious to an IT/security guy may not transcend to a level understood by a majority of legal guys as it stands today.  The fact remains is that we all need to work together to address a common cause, i.e. compliance with GDPR, and in a manner which is understood by all.
  • comment Karen Lawrence • Jun 14, 2023
    I just received a call from a legal friend of mine (who is not able to comment here), but he said that I should append to my Comment, that one should not forget Article 1 of the GDPR which states that the purpose of the Regulation is to protect fundamental rights and freedoms of natural persons.