In my recent Privacy Advisor articles on the appropriate professions of Data Protection Officers (DPOs) under the General Data Protection Regulation (GDPR), I discussed the statutory language of the GDPR and my interpretation of it.
I also wanted to understand how others are viewing the DPO role under the GDPR, especially those who are currently in the roles responsible for compliance with this upcoming law. To achieve this, I reached out to a national association of DPOs in a leading EU country (Ireland's Association of Data Protection Officers) by surveying the membership. This survey asked people to answer questions about their organization in regards to the DPO role, both current and planned. Although probably not statistically meaningful, as the total responses were less than two dozen, the answers may shed some light on EU organizations’ current thinking. This article shares the results of that outreach effort.
The survey
The survey asked 10 questions, variously posed as Yes/No, multiple choice, and fill-in-the-box answers. The final two questions dealt with the respondent organization’s industry and their roles under the GDPR as either a data controller or processor. The industries that the organizations represented were broadly across the spectrum, including health, education, finance, IT, human resources, hospitality, transportation, and national and local government. The data protection roles undertaken by the organizations under the GDPR were as a data controller, data processor, or both.
The other eight substantive questions and their responses were:
- Will your organization require a different skillset for the DPO role under the GDPR than it does for its current DPO? The majority of the responses answered “Yes” that a different skillset will be required in the future, while only a few believed “No” that a different skillset will not be required. However, the second most common answer was that the organization does not currently have someone in a DPO role.
- How will your DPO meet the strict requirements for independence under the GDPR (art. 37.1)? The responses were varied, which included meeting the independence requirement through a separation of duties, by the DPO reporting directly to the CEO of the organization, or by the DPO role being outsourced. Other responses found organizations will achieve independence through the use of an independent contractor, already viewed their DPO role as independent, were not sure if the DPO would be independent, or were still trying to determine how to answer this requirement. Access to independent legal counsel and a separate budget were cited as techniques to ensure independence.
- How will your DPO avoid conflict of interests as specified by the GDPR (art. 38.6)? Some respondents found that potential conflicts of interest were addressed through outsourcing the DPO role, while others thought that there were already sufficient conflict of interest rules in place within their organization. Other responses looked to the DPO function being the sole role this person would engage in as being a sufficient control to avoid conflicts of interest, were not yet sure how the DPO would avoid conflicts of interest, or felt it was up to the personal and professional qualities of the DPO themselves. Even when avoiding conflicts of interests, concerns were cited for possible conflicts with the DPO’s attention and resources.
- Will your DPO report directly to the board as specified by the GDPR (art. 38.3)? The vast majority of the respondents agreed that the DPO in their organization would report to the highest level in their organization, with only a small percent not having this type of reporting line.
- Will your DPO, required by the GDPR to have expert knowledge of data protection law (arts 37.1 and 37.5), be a privacy lawyer, an auditor, a compliance specialist, an IT specialist, a non-technical manager, or from some other profession? The variety of professions specified in the responses were broad. The question choices presented as possible answers included an auditor, compliance specialist, IT specialist, privacy lawyer, non-technical manager, and other (fill in the box). The largest number of professions listed (the question allowed for multiple answers) were for compliance specialist, IT specialist, and non-technical manager. Professions specified in the other category included records manager, administrative person, and business manager.
- How many years of professional experience will your DPO have? The respondents to this question, unlike many of the DPO hiring advertisements being posted online, looked to a very experienced professional. The number of years of the DPO ranged from five and seven years to 30 years of experience. Only a few responses thought that the DPO role could be filled with an inexperienced resource.
- Will your DPO role be filled by one person or more than one person? Three-fourths of the respondents believed that a single person would fulfil the DPO role, while the other one-quarter believed that the role should be filled with more than one person.
- Will your DPO role be filled internally, hired externally, or outsourced? About two-thirds of the respondents believed that the DPO role would be filled internally, with about another one-third looking to outsource the role. None of these respondents were looking to hire this resource externally and bring them on in the DPO role.
Takeaways
This survey was targeted at organizations that have already become members of a DPO association, so their understanding of the GDPR’s requirements is likely further developed than that of the average firm subject to the GDPR. It was also not a statistically rigorous survey with a limited number of respondents, yet there may be some useful takeaways. One takeaway is that there seems to be a recognition that an additional skillset may be required of existing DPOs who continue in this role under the GDPR, as well as for new DPOs.
A second takeaway provides some insight in how organizations are looking at dealing with what may be the most difficult criteria for the DPO role, ensuring the DPO’s independence and avoidance of conflicts of interest. Various techniques of outsourcing, separation of duties, reporting chains, independent contractors, conflict rules, lack of other duties, and professional and personal qualities were among solutions suggested, along with access to independent legal counsel for non-lawyer DPOs and an independent budget. I expect this requirement to evolve the most over time, as organizations work to make the role truly independent of those responsible for designing, operating, and overseeing the privacy and security functions in the organization.
It was heartening that these organizations understand the requirement for the DPO’s reporting structure to the highest levels of the organization and the need for a vastly experienced resource to fill the DPO role. It was a bit surprising that the majority of these organizations are viewing the DPO role as being filled by a single person instead of a team, but that could be merely a snapshot of who answered this survey (it did not ask the size of the organization). Organizations clearly have many ideas about the right type of professional ideally suited to fit the DPO role and seem to consider outsourcing a viable alternative for filling the DPO role if internal resources are not available.
As this brief snapshot of the DPO role was an initial effort, it would further increase the validity and usefulness of the survey for IAPP members to also respond to these ten questions. You can confidentially take the survey in just a few minutes or can alternatively email me directly.