Progress is generally gauged through reflection and evaluation, and a person’s career is a prime example of where progress checkpoints are crucial. Those evaluations, or a lack thereof, are proving to be few and far between for companies and their data privacy officers.
According to officers interviewed by The Privacy Advisor, measurements for DPO efficacy are largely non-existent, leaving DPOs to self-assess their work and its effect on their company.
"Part of it is that some organizations just appointed a DPO to check a box for (EU General Data Protection Regulation) up front, meaning they weren’t thinking about whether a person was going to do a job efficiently," Shopify Associate General Counsel and DPO Vivek Narayanadas, CIPP/E, CIPP/US, said. "But when you talk about measuring consistently across companies, every DPO just has a different role. Thinking about measurability across these different contexts almost seems impossible."
With that said, there’s no lack of effort and desire to find ways to examine a DPO’s effectiveness and competency. Narayanadas admitted Shopify is at least attempting to chart efficacy in some fashion while looking to expand those evaluations.
"We tend to focus on two metrics for our purposes," Narayanadas said. "One is around efficiency and costs, focusing on our use of outside counsel spend. The second centers on support inquiries related to privacy. We have a pretty robust support infrastructure, keeping tabs on what people are asking about, response rates, time to respond and things of that nature."
Narayanadas added Shopify is in the process of working on versions of self-evaluation for DPOs with a still-developing audit-ability framework.
"I think it’s important because, in a sense, we need to prove internally within our legal team that we’re doing the job we want to be doing," Narayanadas said. "It would help us understand if we’re missing something or failing to do something that a proper DPO would."
As Shopify and other companies continue to devise metrics and frameworks, Narayanadas believes it’s largely up to the DPO to find a way to track their own effectiveness. The idea of self-evaluation draws back to how a DPO’s role and responsibilities change from organization to organization, according to Dropbox DPO Mark Crosbie.
"This is a role that leaves it up to each individual to craft what effective looks like," Crosbie said. "It’s got to make sense for them, their industry and the company. That’s a fairly unique thing to find these days, which makes the DPO role so interesting and compelling. You really do have the chance to draw up what good to great looks like in this role."
Crosbie and Narayanadas agreed that how a DPOs advice is weighed by a company is an easy way to gauge their own effectiveness. Crosbie said an effective DPO "ensures the right changes happen at the organization or organizations that they supervise," while being brought in to consult "at the right points in time." Narayanadas said a valued DPO is one that can provide "contextual advice," or that is "able to go beyond how the law requires X, Y and Z," and then relaying it accurately and fairly that can be received effectively.
Along the same lines of advice, Dyann Heward-Mills, CIPP/E, CIPP/US, CIPM, founder of data protection consultancy HewardMills, said DPOs can’t assess their performance negatively if an organization refuses what turns out to be accurate advice.
"Ultimately in many scenarios or situations, the DPO will provide their opinion and advice, leaving it to the business to decide whether to take it or not," Heward-Mills said. "If you choose not to follow the advice and find yourself exposed to risk, you can’t reflect that back on the DPO as some form of incompetence. The controller is the one liable for noncompliance."
HewardMills is in a unique position with its outsourced DPO services. The firm supplies clients with DPO services or advises internal DPO’s at the request of that DPO or their organization. Heward-Mills admitted efficacy assessments with their work are simpler and more clear-cut than what might be seen with an internal DPO.
"It is perhaps a little more straight forward to assess the out-sourced DPO if you don’t like the service you are receiving," Heward-Mills said. "It’s likely more challenging with an internal DPO because, in some way, the role is protected. If you’re critical of your DPO, you have to be careful you’re not in any way triggering employment-type concern or potentially a whistleblowing-type scenario."
The other factor hampering any current efforts to decipher DPO efficacy — whether it be an outsourced or internal service — is the newness of the role. Crosbie pointed out the work of a DPO is still fairly new given the GDPR only came into effect less than two years ago. That notion is enough reason for a lack of metrics, but that reasoning won’t stand forever.
"I understand the hirings in the GDPR rush, but once that initial hype wears out, we will be asked and expected to improve our value beyond the basic requirement of the law," Narayanadas said. "I think it behooves us to think about ways to show we are improving our performance and the company generally. Maybe there aren’t metrics for everyone, but there’s got to be something to show you are doing what is expected of you and improving over time."
Photo by Glenn Carstens-Peters on Unsplash
If you want to comment on this post, you need to login.