With about 75,000 data protection officers needed worldwide because of the EU General Data Protection Regulation (and probably more), many organizations are still looking for one. Much is said about the tasks of the DPO and its position under the GDPR, but what should the DPO be looking for in a job?
1.) Why me?
Probably the most important thing for a DPO to understand is why the organization wants him or her as a DPO? Why were you selected? Which strengths (or weaknesses) were attractive to the person making the hire? Was it your in-depth knowledge of privacy and data protection law to ensure the organization doesn’t get a fine for noncompliance? What it your experience with information security to prevent that serious data breach from two months ago from happening again? Is it your talent to realize behavioral change in the organization? Your previous DPO experience? Or your good relations with the data protection authority? Or were you hired just because you call yourself a DPO on LinkedIn?
Perhaps it's your weakness that is the most attractive feature. Were you hired as part of a larger window-dressing operation? In other words, are they expecting you to sit still, play nice and avoid causing any problems? Or do they not expect you to accomplish anything real except to shuffle paper with regard to data subject requests and refer any questions of the DPA to outside counsel?
The job description in the ad will help you get a large part of the answer. Other sources of information include the organization's corporate social responsibility values (if any), newspapers, internet, and, of course, the interview with the people hiring you. But it sure helps to have a coffee with one or more people who are not part of the hiring decision before saying yes.
2.) What are my tasks and powers?
You really want your organization to think ahead of what it means to have a DPO — that they have made an informed decision about the role, its tasks and procedures, the reporting structure, and so forth. Too often, DPOs are appointed without a clear job description. For some, that is an opportunity to build the role from the ground up. For others, it is a possibility to steer the role in the direction of their own personal skills and interests. If you are one of those people who values structure in your job, then you’re probably in the wrong place and will most likely fail.
Being a DPO in an organization that knows what the job entails also means that there are shared expectations about how the job should be performed. Not only does it tell you whether they see you as the right fit for the organization, but also whether the organization is the right fit for you.
3.) Do I have a budget?
Under the GDPR, the DPO is independent. He or she cannot receive any instructions related to the exercise of his or her tasks. And the organization must provide the DPO with the resources necessary to carry out their tasks. One of the most important factors that influence the DPO’s independence and effectiveness is the budget. A budget allows the DPO to do site visits; hire a team to support the DPO (and to compensate for any lack of specific DPO skills, such as legal, IT or audit) and external support in case of serious problems (e.g., an IT auditor); training; purchase books and subscribe to magazines; visit conferences and seminars; become a member of one or more associations for DPOs and privacy professionals, like the IAPP; and keep up with the latest developments in the privacy world.
At the very least, the DPO should be able to access a budget that is earmarked for the DPO’s tasks and responsibilities. But having somebody else controlling that budget means that the DPO could indirectly be hindered in the performance of his or her tasks. This could take place by blatantly denying any requests, or more likely by office politics and nudging. It is therefore preferred that the DPO manages his or her own budget so as not to be dependent on others. Typically, that also means the DPO must be trusted with that budget. In many organizations, one is only allowed to control a budget if one is a manager. Being able to control the DPO budget is perhaps the most significant indicator of the level at which the DPO is being graded and the level of influence the DPO will have in the organization.
4.) Who will read my reports?
The GDPR requires that the DPO must report directly to the highest level of management. The idea behind that rule is that management stays informed about the level of compliance and any incidents in the organization and is able to take corrective action. In practice, however, too many DPOs only have a formal reporting line with management. Most, if not all, of their reports are only read by project managers and lower-level managers. Not that that is wrong per se. Not everything deserves to be escalated to the board, and practical influence is best achieved by convincing the people who are actually involved in the design of the business process or who are running the data processing operations on a daily basis.
The DPO must not only exercise influence on the operational level, but he or she must also be a factor in the strategic decision-making to help the decision makers understand the risks associated with data processing, such as brand reputation, financial risks (including fines), and the business-continuity risks of noncompliance. A DPO who knows his or her stuff should be able to advise the board on such matters.
5.) Will you protect me and put that in writing?
Last, but not least, if you are the DPO, you really want to be sure your boss has your back when things get ugly — and they will — irrespective of whether that boss agrees with you or not. Ideally, the position and independence of the DPO, including its role, powers, tasks, reporting and escalation procedures, is laid down in a charter signed by the CEO and the DPO, just like many internal audit departments have a charter to ensure their independence. Likewise, a DPO charter may contain the possibility to escalate the really serious noncompliance issues to other stakeholders, such as the board of directors (if any), the works council (if any), or any other relevant stakeholders.
Of course, a DPO who has the personal competencies to perform the job properly, including interpersonal communication and problem-solving skills, will never need to rely on such a charter. Authority should come from personal style rather than formalities. Yet, if things get serious, it helps to have such charter tucked away in your upper desk drawer.
If you want to comment on this post, you need to login.