In the wake of the EU General Data Protection Regulation, an estimated 500,000 organizations have registered a data protection officer with their respective data protection authorities. However, recent data tells us there remains confusion regarding what it means to be an organization’s DPO.
The IAPP-EY Annual Governance Report of 2019 revealed that 72% of the 370 respondents work in a firm that has an appointed DPO. The roles and responsibilities of DPOs varied greatly among these firms, so the IAPP set out to seek clarity on the DPO role under the GDPR. To do this, we analyzed results from the IAPP-EY Governance Survey and spoke to three DPOs representing organizations varying in size and type.
What the IAPP-EY Governance Survey of 2019 revealed
The survey uncovered notable inconsistencies in implementation of the DPO role between companies, such as where in the organization the DPO sits, how their position as a DPO compares to other privacy professionals in their organizations and to whom the DPO is required to report. Perhaps the most surprising inconsistency is if the DPO role caters more to individual data subjects, the organization or regulatory authorities. This irregularity was not addressed in the survey but became prominent when speaking to several different DPOs.
When asked where they sit within the organization, nearly half of respondents indicated within their organization’s legal team, just over a quarter of respondents answered they are a part of their organization’s regulatory compliance team, and a smaller percentage of DPOs signaled within either the privacy and data protection team or information security team. Regardless of with which team the DPO works, most DPOs act as their organization’s privacy leader. Those who are not the privacy leader indicated the chief privacy officer typically holds this title, making the DPO a more junior position.
DPOs are also generally more junior than the organization’s chief privacy counsel, although only half of respondents work in organizations that have a chief privacy counsel. A handful are either equivalent to or more senior than the chief privacy counsel, 46% of DPO respondents answered their position is equivalent to that of a chief information security officer, and 30% of DPOs indicated their role is equivalent to that of chief information technology officer.
Article 37 of the GDPR requires organizations to appoint a DPO, who, in turn, reports to the highest level of management within the organization. Many respondents indicated their organization’s DPO reports to the privacy leader, most likely the CPO. Other answers included the board of directors, chief compliance officer, CEO and general counsel. Because no answer was more prominent than the other, this is one area of the DPO role that is very inconsistent and varies depending on the organization.
Insight from DPOs across the globe
The IAPP turned to DPOs from around the globe to better understand the role they play in the world of privacy and how it is working for their organization.
Evan Davies, CIPP/E, CIPP/US, a U.K.-based DPO working for a small marketing research organization, gave the IAPP insight on his GDPR-mandated role. Davies began working with his organization while the GDPR was being implemented and has worked to ensure his organization complies with the regulation, citing his top priority as decreasing and eliminating risks.
Due to the size of his company, he sits within a small compliance team and acts as the organization’s privacy leader. He named the most challenging part of his role as being the application of the GDPR to market research. Davies stressed the importance of understanding the inner workings of his organization to be able to accurately and appropriately apply the GDPR. In other words, a successful DPO will be familiar with their organization's processes and goals to determine how to best apply the GDPR.
A successful DPO will be familiar with their organization's processes and goals to determine how to best apply the GDPR.
When asked if his role was more regulatory, company facing or individual facing, Davies stated that he begins every privacy analysis by thinking of the data subjects with the goal of ensuring that their privacy is protected, indicating his role as a DPO is more individual facing.
Conversely, the IAPP’s very own DPO, Rita Heimes, CIPP/E, CIPP/US, CIPM, provided information on her non-GDPR mandated role.
Though not required, the IAPP set out to create a privacy program that meets GDPR standards due to its many members and customers in the EU. Heimes sits in the legal department and reports directly to the CEO of the IAPP. She cites her top priority as understanding how the IAPP uses data across product and service lines to be as transparent as possible with members and customers.
When asked what her top challenge is as a DPO, Heimes said being the DPO for an organization whose members are privacy professionals, as they hold the IAPP to the highest of standards. However, she emphasized this is also incredibly helpful to her role as the organization’s DPO because members are always willing to offer advice as to how the IAPP can improve its privacy program. She named the internal staff of the IAPP as her most important client, suggesting her role is more company facing, but noted the members and consumers are close behind.
Uber DPO Simon Hania offered insights into how the role of a DPO in a large organization is scoped.
Uber has a data protection office in which the DPO works, which helps to keep the DPO's role more independent. This builds credibility and trust as data subjects can be certain their right to privacy is being addressed.
Uber requires the DPO to report to the chief legal officer and CPO. As a GDPR-mandated DPO, Hania is largely focused on the GDPR and how it applies to Uber, meaning that he caters to his organization first and foremost. Simon advised that he does not often interact with either data subjects or the organization outside of the data protection office. Instead, he works closely with DPAs.
When conducting privacy assessments, Hania thinks about how the regulators would approach and answer the question he is assessing so he can best comply with their standards. The data protection office does not have contact with data subjects because this is the obligation of the controller.
Hania stressed the importance of independence and autonomy as a DPO for an organization but also advised there is no “one size fits all” for the role of the DPO. What works for Uber may not work for differently structured businesses. Uber offers a DPO chart explaining the data protection office and duties of a DPO and presents how Uber approaches privacy matters as a resource for other DPOs.
Irish DPC offers support on DPO role
To better understand the differences in roles between the above-mentioned DPOs, the IAPP reached out to Cathal Ryan of the Irish Data Protection Commission.
Ryan addressed the difficultly in interpreting a regulation such as the GDPR and noted how the role is implemented within an organization largely depends on what resources are available. The DPO position is akin to that of in-house counsel, in a sense, because the DPO must be independent and raise privacy issues with the highest level of management.
Unlike the role of in-house counsel, who must complete several years of education and training to be qualified, there is no training requirements for a DPO. Organizations with few resources may find it difficult to find an individual with enough expertise because they cannot pay that individual a high enough salary nor can they afford to provide proper training. As a result, some organizations may end up hiring anyone to fill the shoes of a DPO to meet the requirement under the GDPR. Ryan urges companies to take the responsibility of hiring a DPO seriously and avoid merely filling the position with any unqualified individual to satisfy the GDPR requirement.
Ryan urges companies to take the responsibility of hiring a DPO seriously and avoid merely filling the position with any unqualified individual to satisfy the GDPR requirement.
He also provided advice on what organizations should look for when hiring a DPO. Since DPOs must be independent and report to the highest level of management, they often do not have the backing and support of the organization when raising privacy issues. Therefore, he believes a DPO must be a strong, influential individual that sticks to their guns regardless of how the organization reacts to the issues raised by the DPO. Because the role is not a particularly easy one, organizations will want to set a high standard in terms of market and salary to attract individuals with the education and experience needed to be successful. He also encourages organizations to review guidelines from the EDPB and Irish DPC when hiring.
The Irish DPC has established a Data Protection Officer Network, which allows DPOs to gather with other DPOs in similar sectors. The network facilitates peer-to-peer support for DPOs trying to make sense of this new role. Because sectors approach data protection differently, creating networks by sector allows each one to have tailored DPO guidance. Ideas and information gathered in these networks are reported back to the entire sector, ensuring all DPOs are on the same page.
Ryan says this system of networks has been incredibly effective in helping DPOs better understand their responsibilities. In addition, the DPON’s peer-to-peer structure has helped DPOs understand the different interpretations of the GDPR and become more confident in their implementation of its requirements. He believes the DPOs involved in a DPON enables them to gain the crucial characteristics and confidence a DPO should embody. Confidence leads to an individual that is strong, influential and sticks to their guns — the type of DPO all organizations should seek.
While creating a DPON has helped tremendously in clarifying the role of a DPO, the role will not likely be consistent across the globe anytime soon. The position must be filled in accordance with the organization’s resources and company culture. Because so many factors affect the hiring of a DPO, creating a consistent role that would work for all types of organizations all over the world may not be realistic.
However, creating sector-based networks that are representative of small, medium and large organizations appears to be an effective way of creating uniformity of the DPO. Perhaps uniformity throughout sectors is the most appropriate way to approach the role of a DPO, as each sector deals with data protection differently. The good news is that DPAs are aware of the challenges DPOs face and are actively working to support DPOs as they settle into their new roles.
For more information regarding the role of a DPO, check out the EDPB’s Guidelines on Data Protection Officers. This document clarifies the definition of a DPO under the GDPR and takes a step-by-step approach to help organizations understand if it needs to appoint a DPO and, if so, for which tasks the DPO is responsible.
On Feb. 26, 2020, IAPP Research Director Caitlin Fennessy will moderate a RSA-hosted webinar on operationalizing the DPO role with Irish Data Protection Commissioner Helen Dixon and Salesforce Executive VP and DPO Lindsey Finch.
If you want to comment on this post, you need to login.