Data protection professionals and organization management officers share a common question: Who should the data protection officer be? Some argue that a legal professional is most suitable for this role; some argue that an operations professional is the natural pick. This article suggests it’s not the background of a DPO but rather whether a data protection committee exists that would prove critical to an organization’s data protection efforts.
Why has the talk been about a legal professional?
First, let’s review why there has been such a strong call for legal professionals to take on this role. Under the EU General Data Protection Regulation, it is recommended that a person who understands the law and its requirements wear the hat of a DPO so as to aid with data protection compliance. This is logical: A legally trained person who understands the GDPR will be able to advise the organization and craft the policies and contracts so as to define the relevant legal boundaries and liabilities. However, this does not solve the problem of operational compliance.
Take, for instance, Facebook. Facebook is a listed company that obviously has a legal team to manage its liabilities, and yet the company is also under the greatest limelight for what is considered the largest personal data breaches. However, this does not mean that its legal team is incompetent. Instead, one should question if its business team, engineers and the rest of the teams are competent or even involved in the data protection management program, as well as if the legal team was consulted for projects.
Now let’s suppose the legal professional is also knowledgeable about operations. Would this ensure operational compliance with the laws? It is very unlikely. A DPO cannot be the same person who drives standard operating procedures, audits, conducts training, and performs daily monitoring of data protection practices within the organization.
Similarly, if understanding laws is the key or sole consideration of a DPO’s suitability, then any individual with a professional certification (e.g., CIPP/E) would suffice, and lawyers without these certifications should be less qualified to be DPOs than a sales manager with a CIPP/E.
Hence, we argue that it is not the appointment of an individual but that of a committee with the relevant background that will realistically enable an organization to work toward operational compliance in data protection.
DPOs that do not have a legal background can also be entrusted to perform their duties well
Due to the significant cases of the past, we may easily overlook the “lesser” but still significant cases. In particular, there are two cases in Singapore that indicate DPOs, who were not of legal backgrounds, successfully defended their organizations from further punishment such as fines. Let's call them Company A and Company B, and their DPOs "DPO A" and "DPO B," respectively.
Company A is a company that had suffered a breach of more than 100,000 records, which would well satisfy the requirements across most jurisdictions as a serious case that warrants the company to report the breach directly to the regulator. Once they realized the severity of the issue at hand, DPO A engaged a privacy consulting firm to review the root cause of the incident and the potential lapses within Company A. DPO A discovered that their IT vendor did not sufficiently protect the IT system from which the data was leaked and did not have the ability to fulfill the protection obligations of Company A. Moreover, DPO A discovered that the staff required refresher training. Thus, DPO A swiftly championed to terminate the services of said IT vendor and engaged a team of privacy experts to train all the managers to kickstart the retraining program. In addition, DPO A had previously conducted a privacy exercise to prepare the relevant policies and procedures. Supported with evidence of these activities, DPO A successfully demonstrated to the regulators that Company A was serious toward privacy compliance and had matters under control. Eventually, the regulators issued a warning to Company A without any fines.
On the other hand, Company B is a company that had received a complaint against its staff’s poor privacy practices. The regulators conducted an investigation and discovered that Company B had put its privacy practices in place, but the staffer who had committed the breach had acted out of their own accord. More importantly, the staffer had refused to attend training despite Company B having engaged a team of experts for three separate sessions. In the end, the regulators decided that Company B was not in breach of the data protection law, while the individual was issued a fine instead.
These particular cases show that the key to demonstrating accountability does not rely on whether the DPO has a legal background or knowledge on information security, but whether the DPO has helped the company implement proper data protection practices.
It's not that a data protection committee should completely leave out legal colleagues or that the involvement of legal experts is not necessary. On the contrary, data protection committees should have legal experts, such as data protection lawyers, on board.
In order to demonstrate accountability, an organization needs a committee to support a DPO
Consider assembling a committee that comprises both legal and operational expertise. For smaller companies that serve a small group of clients, they may have a relatively smaller data protection (or privacy) committee of two to four staff to manage data protection matters. For organizations that serve large clients, have operations in multiple countries, or have at least 50 staff, they may have a data protection committee of at least six staff.
These internal champions shine even more as the company progresses along the maturity model. They will assist to close gaps and implement improvement measures as the business process owners.
Must we have multiple committees to support multiple jurisdictions?
This is not a stipulated requirement, but we would recommend having at least a DPO to support in each jurisdiction. Just as the penalties differ from country to country, so do the data protection laws.
However, it may be more practical to appoint committees in countries where there is a substantial scale of operations and a large number of personal data is being or expected to be processed. Another approach for companies who do not fit this description could consider instead to appoint a regional DPO to head a regional committee to assist the global DPO and global data protection committee.
Key message for companies
Appointing a DPO alone does not protect the company from breaches nor from penalties. Instead, it is whether a company has operationalized data protection and is able to demonstrate accountability that influences the effectiveness of a DPO. Observing enforcement cases around the world, companies aiming for growth or to sustain growth should appoint at least one data protection committee to implement data protection compliance, thereby winning the trust of their stakeholders and work toward growth.
If you want to comment on this post, you need to login.