For all the changes the EU General Data Protection Regulation ushered in, the requirement that applicable organizations must hire a data protection officer has caused its fair share of heartburn. The mandate that the position must be independent and monitor a company's compliance with the law, as well as advise the company on data processing and serve as a liaison to the data protection authority, has, anecdotally, incited some anxiety among a wave of new DPOs about how to balance outward-facing and inward-facing obligations.
At the RSA Conference in San Francisco, California, Irish Data Protection Commissioner Helen Dixon shared the stage with Salesforce DPO Lindsey Finch and IAPP Research Director Caitlin Fennessy, CIPP/US, to discuss the pain points DPOs have articulated as the GDPR's two-year anniversary approaches.
Dixon said there have been more than 1,500 new DPOs appointed in Ireland, and the feedback has been clear: There's "a lot of stress and tension about what the role requires."
Under Article 39 of the GDPR, DPOs are obligated to monitor the organization's compliance requirements internally, must be the contact for members of the public seeking to exercise data subject rights, and also must cooperate with data protection authorities as needed. While some DPOs have expressed frustration that there's inherent conflict in wearing all three hats, Dixon said it boils down to the DPO's responsibility to be an expert in data protection laws and practices and to assist the data processor in complying with the GDPR, which, if executed correctly, is in harmony with data subjects contacting the organization.
"The part that probably creates the most nervousness is the cooperation with the DPA," Dixon said. "Because we’ve been asked many times, 'am I a type of whistleblower?' I don’t think that’s what’s intended under Article 39." She added the DPO is simply there to be a point of contact to "swiftly assist the DPA for whatever information they're looking to see."
As Ireland's data protection regulator, Dixon is responsible for a significant number of U.S. multinationals with establishments in the EU, and the spotlight has been on her since the GDPR came into force to investigate and enforce the EU's sweeping data protection law, among its other mandates. She said DPOs are essential to regulators like herself to make "the resources of the DPA more scalable, because the DPO is now the interface with members of the public who want to raise complaints."
Ostensibly, that takes some of the weight off the DPA's shoulders, with complaints and queries from data subjects being vetted at the company level versus going straight to the regulator.
"At least that’s the theory," she said. "We really have huge vested interest in helping (DPOs) interpret their role under the GDPR and bringing it into sound practical implementation."
Finch said at Salesforce, which has 50,000 employees globally, as well as among her fellow DPOs at organizations elsewhere, the main challenge is ongoing interpretation of the GDPR's provisions.
"The GDPR is now almost two years old but we still don’t know exactly what a lot of it means," she said. "It’s meaning can be very nuanced, even if we do have a decision from the (Court of Justice of the European Union) on a particular matter, that could be specific to a particular case." She said it has been difficult to navigate some of the complexities of what, in any given situation, are the risks to individuals and balancing that the potential benefits to the company.
"I think ultimately the challenge is keeping up with not only interpretations of the law, where it’s going and the uncertainty around that, and also just where the tech is progressing," Finch said.
She added that beyond legal compliance obligations, the added complexity is figuring out not just what can or can't the company do but what should it do. In fact, to address that, Salesforce has established a "chief ethical and humane-use officer," focused on not only products, but also customers' use of the technology itself.
For DPOs who may be concerned about being the ethical guardian of a company's data processing, however, Dixon said that's not what DPAs expect, because that's not what the law mandates. She said to expect a DPO to fulfill its obligations under the law and also design an ethical framework beyond compliance is too tall an order.
She said the DPA has to make conclusions based on "whether there's compliance with the legal framework as it's set down." Sure, in an ideal world, the DPO can say to product management, "We shouldn't go there; it doesn't seem very ethical," Dixon said, but "we're a very long way away from that kind of approach."
Given the anxiety DPOs have articulated about the scope and expectations of their role, Dixon's office will in March host a "DPO Network Conference" in Dublin. It aims to bring together leading data protection experts to help clarify for DPOs how to apply the relevant legislation, as well as allow for peer-to-peer engagement.
The conference is in response "to a feeling among DPOs that they're not achieving anything, and not achieving anything positive," Dixon said. "So we want to intervene on that."
If you want to comment on this post, you need to login.