Two pros weigh in: Should the DPO be a lawyer? Perhaps an auditor?

In January, Thomas Shaw wrote an article for The Privacy Advisor on the essential job skills of data protection officers under the General Data Protection Regulation. Having read it, Emma Butler responded online with her views, and, after some back-and-forth, the two decided to write an article together highlighting the many areas they agreed upon and further analyzing where their perspectives and insights differed.

Shaw is a privacy and technology lawyer who has worked across disciplines around the world, while Butler was a long-time member of the U.K. Information Commissioner’s Office and is a current DPO. Both are based in the EU. 

Editor's note: Emma Butler was the featured guest on the IAPP Web conference series, "Ask the DPO," on April 4. The program, available as a recording for new registrants, is free to IAPP members. 

Thomas Shaw: On DPO job skills

In my previous article on the essential job skills of data protection officers (DPOs) under the GDPR, I discussed those job skills that DPOs must have as prescribed by the actual language of the GDPR. Then based on my experience, I described the type of professional expertise best suited to fulfill that GDPR requirement. To a large extent, I was writing my own CV, knowing how each of these skillsets would bring value to the DPO role. I believe a single skilled resource should be the starting position for organizations. If such a resource cannot be found, then the DPO candidate must be supplemented with members of the DPO team who have the skills the DPO may lack.

The GDPR requirements for the DPO’s skills, qualities, and tasks include:

• risk assessments, countermeasures, and data protection impact assessments;
• expert knowledge of data protection law and practices;
• performing duties and tasks in an independent manner;
• not receiving any instructions regarding the exercise of those tasks;
• performing other tasks, only if these do not result in a conflict of interests;
• handling data subject requests;
• marshaling resources and leading people and projects;
• maintaining his or her expert knowledge;
• being bound by secrecy or confidentiality;
• directly reporting to the controller/processor’s highest management level, and
• cooperating with and acting as the contact point for the supervisory authority.

Professions matching DPO job skills

The two professions best suited to carry out the role of the DPO are experienced privacy- and technology-focused lawyers and IS auditors licensed as certified public accountants or chartered accountants. A privacy- and technology-focused lawyer is a licensed professional with hands-on experience with IT programming and operations, IS auditing, and privacy certifications/seals and information-security standards, in addition to experience with varied privacy and information security laws, policies, and provisions. IS auditors would have experience with various types of attestation audits, including privacy and security. Both should have the appropriate professional privacy- and information-security certifications.

Both types of professionals should be able to carry out the following aspects of the DPO role equally well: reporting directly to the highest management level of the controller/processor; exercising the tasks of the DPO without receiving instructions; working in an independent manner, and being sensitive to not creating any conflicts of interest. Licensure rules for the regulated professions of lawyer and public/chartered accountant both require continuing competence, maintaining integrity, avoiding conflicts of interests, taking sufficient continuing education to maintain his or her expert knowledge, and being bound by rules of professional secrecy and confidentiality. Although lawyers tend to have a broader code of ethics to comply with, lack of compliance with their respective ethical rules by those in either profession could lead to loss of their ability to practice publicly.

The two professions best suited to carry out the role of the DPO are experienced privacy- and technology-focused lawyers and IS auditors licensed as certified public accountants or chartered accountants. — Shaw

Both professions need to have significant negotiation skills, although given their typical roles, the lawyer will likely have deeper negotiation experience. Both should have knowledge of risk assessments, countermeasures (including those implemented in software by programmers and in IT infrastructure), and data protection impact statements, although auditors will likely have more in-depth risk-mitigation experience. Both may have understandings of privacy by design and default, but the auditor may have more in-depth knowledge through assessing control design. Both should be able to marshal and lead resources, teams, and projects and handle data-subject requests without difficulty, handle internal and external relationships, communicate effectively with all parties, educate controller/processor personnel and data subjects, and raise data protection awareness.

What tips the balance between the two is the requirement to have expert knowledge of data protection law and practices, which is something to be expected from the lawyer but not from the auditor. This requirement is more complicated than it appears, as it involves not only the GDPR but other EU law such as the ePrivacy Directive (or its successor) and relevant cases, and also likely, given the global interplay of organizations, the data protection and other relevant laws as well as cases of many jurisdictions, and the necessary conflict-of-laws analyses to determine which laws prevail. In an independent role, a DPO providing legal advice and analysis who is not a licensed lawyer may also become involved in the unauthorized practice of law. If they instead use the organization’s corporate counsel to perform the legal analyses, the DPO may no longer be viewed as independent.

Therefore, my opinion is that the best professional to fill the role of DPO under the GDPR is an experienced privacy- and technology-focused lawyer. The privacy and technology focus of this lawyer is essential, as these would not be typical skills of the average lawyer. There are other qualities of a lawyer that also weigh in their favor as the best profession to fill the DPO role, including the use of legal privilege in certain cases when the controller or processor is subject to litigation or other adverse actions and possibly in their role as a witness or expert in legal cases. The second-choice professional to fill the DPO role should be an experienced and licensed (CPA/CA) IS auditor, one who has significant experience in leading various types of audit engagements. For either choice, the DPO team should have a member that complements the DPO, such as an experienced IS auditor, when a privacy- and technology-focused lawyer is the DPO.

Beyond those two professions, it gets more complicated for organizations trying to fill the DPO role with other types of professionals, multiple people, and/or with a combination of internal, hired, and outsourced resources. As a rule, in these types of situations, organizations must stick hard and fast to the following two rules. First, they must not utilize anyone in the DPO role who could create a conflict of interest. For example, as a recent case in Germany demonstrated, the role of IT manager is inappropriate for the role of DPO under current German law, given the required independence of the DPO from IT operations. Second, any resource filling the DPO role must have sufficient legal and technical skills to carry out an independent assessment of the organization’s data protection practices without relying primarily upon the judgment of the organization’s staff.

DPO hiring errors

I continue to review DPO job postings here in the EU and am regularly frustrated by some organizations’ understanding of the requirements for DPOs under the GDPR. The most common errors are looking for DPOs with too little experience (a few years is a common requirement), insufficiently broad job experience (focusing on only one of several needed disciplines), and lack of independence, with DPOs reporting into IT, legal or compliance organizations instead of the board as the GDPR requires.

Another error is that organizations assume that their current DPO or similar should be their DPO under the GDPR. That may certainly be valid, but it would be a useful exercise to vet the existing DPO against the job skills discussed above. When discussing the role of the DPO under the GDPR, examples are often cited based upon current experiences under existing legislation, primarily national enactments of the Data Protection Directive. I believe, while instructive and possibly the best historical examples that we have in the region, the DPO role under the new GDPR legislation is a somewhat different role, one that may require consideration of what is now required and intended before organizations which already have a DPO automatically slot that person into the DPO role under the new law.   

Another common misconception, which an army of vendors are perpetuating including unfortunately the IAPP itself, is that you can create a DPO merely with training and certifications without basing it first upon a broad foundation of existing diverse skills gained through years of experience. There is some belief that one can make a DPO out of an inexperienced resource. That is just not accurate. What can be accomplished is for an organization to train an existing experienced resource, with many of the professional skills and responsibilities discussed above, in the specifics of the GDPR and hopefully deploy that resource in time into the role of DPO. While using an inexperienced resource can be viewed as the way forward for cost or resource-constrained organizations, they may be making a choice between full compliance with the GDPR and their other business objectives. Given the significant penalty regime of the GDPR, organizations should consider the need to staff the DPO role appropriately from the start to achieve their short and long-term goals.

A response: by Emma Butler

There is a lot of attention at the moment on the role of the DPO under GDPR and what skills and qualities are needed. Here is my take on what your DPO should have and what’s nice to have.

Role

Data protection law is a framework for handling personal information fairly and responsibly, and it therefore touches most, if not all, parts of a business. Equally, those responsible for data protection compliance in a business will find that their role touches most if not all parts of the business. Whether you are a lone DPO, part of a team or head of a privacy office, the role requires a wide variety of tasks, skills and experience that cannot actually be fulfilled in its entirety by one person. The key point about a DPO role is that you need to be able to work together with all departments in a business to be successful.

Skills and knowledge

The DPO is the role responsible for thinking about compliance, considering the individual as well as the business, explaining requirements, and bringing together the right people to get the job done. So, leadership, being able to see the big picture and project management skills are particularly relevant.

A DPO needs to know not just what the law says, but what it means, and how it applies to the business in question and its activities. I do not believe that only a lawyer can have this knowledge and these skills, and I strongly believe that you don't have to be a lawyer to understand a piece of law. Almost all of the staff of the ICO do not have legal qualifications, and there are many examples of successful DPOs and CPOs who are not lawyers. What is actually more difficult is to apply the law in practice, and to be able to come up with creative solutions so the business achieves their aims and you achieve your privacy compliance. This is not a skill exclusive to those with legal qualifications. 

A DPO needs to know not just what the law says, but what it means, and how it applies to the business in question and its activities. I do not believe that only a lawyer can have this knowledge and these skills, and I strongly believe that you don't have to be a lawyer to understand a piece of law. — Emma Butler

A successful DPO uses the law, regulator guidance, case law, good practice gleaned from peers and cases where it went wrong, and their own experience for all the above to advise their business appropriately. A clever DPO builds on and uses the expertise available across the business from the other functions; crucial to getting buy-in and support.

Communication skills are key: you have to be able to communicate the above to the different parts of the business in a language and format they understand. You’re aiming to get data protection embedded into the policies, processes and culture of the organization to be business as usual. That’s the end game of the GDPR accountability principle.

It is no longer just about lawyers vs. non-lawyers. A whole plethora of qualifications has sprung up as people see the money to be made out of GDPR. — Butler

There is no such thing as too much knowledge or too many skills, so it’s a bonus if a DPO has skills and knowledge of any of the functions they commonly work with, such as HR, legal marketing, IT, audit, risk management, procurement, product development, sales, and so on. It is becoming increasingly important to understand new technology and more and more businesses are certifying to ISO 27001, so a DPO who gets information-security controls and who can get to grips with things like algorithms, deep learning, encryption and similar is at an advantage.

Experience

The experience you need depends on the scope and level of privacy role. Some of the staff you need to carry out some of the GDPR DPO role/tasks could be at a more junior level. It is likely that the person you need to lead the GDPR compliance work and to be the key DPO contact for you will need to be a senior role. Regardless of level, experience in a sector is an advantage, even if it was in a different role. Equally, the skill mentioned above of applying the requirements to the current business scenario means DPOs are not limited to always working in the same sector, and cross-sector expertise is also helpful, as you can bring new thinking to the table.

Qualifications

It is no longer just about lawyers vs. non-lawyers. A whole plethora of qualifications has sprung up as people see the money to be made out of GDPR. Those looking to hire DPOs and/or GDPR leads need to be careful not to be dazzled by qualifications, but to make sure they write a job description based on what they actually need, and hire the right person for the role and the business. I am not saying qualifications are not important, but they are many and varied and not all may be appropriate for what you need. Qualifications in other areas, such as people management, conflict resolution, law or project management can though be helpful, again, depending on what you need.

The privacy profession is young compared to other industries and is developing at a fast pace. It has some great qualities compared to other professions, most notably that there are equal numbers of men and women in the role and in senior positions, and that privacy professionals come from all walks of life, and bring so much rich experience to the table. That can only be a good thing to develop the profession.

The GDPR DPO role should lead to a wealth of opportunities in larger companies for aspiring privacy professionals to join compliance teams and gain and bring valuable experience. And that can only be a good thing for us all.

In my view, the absolute must-have is someone who understands what the law says, what it means, and how to apply to it the business in question, plus who has the relationship and communication skills to become a trusted advisor to the business, known to all its functions, and seen as a key ally to help get the job done, avoid compliance headaches, and embed data protection to be business as usual.

A further response: by Thomas Shaw

The first time I read Emma's response was after it had been published, and so I am able to respond to it only now, post-publication. I have a number of concerns with the response but due to time and space constraints, I will describe only a few here.

One concern involves the flaw of conflating the role of the Chief Privacy Officer (CPO) with that of Data Protection Officer (DPO) under the GDPR.  The role of a CPO could well be described by what was written in the response. But the new role of DPO is different. The DPO as specified by the GDPR must maintain independence and avoid conflicts of interest, in addition to acting as the point of contract, cooperation, and consultation with the DPAs. As the Article 29 DP Working Party stated in its December 2016 Guidelines on Data Protection Officers (‘DPOs’), “the DPO’s primary concern should be enabling compliance with the GDPR.” It then stated that “chief privacy officers ('CPO's) or other privacy professionals already in place today in some companies, who may not always meet the GDPR criteria, for instance, in terms of available resources or guarantees for independence, and therefore, cannot be considered and referred to as DPOs.” 

Although my article clearly does not say that the DPO must be a lawyer, having such a professional will help address a second concern in the response.  The DPO is required by the GDPR to have “expert knowledge of data protection law.” The Article 29 DP Working Party in its December 2016 Guidelines stated that DPOs “must not be instructed to take a certain view of an issue related to data protection law, for example, a particular interpretation of the law.” The DPO will be independently providing legal advice on data protection law to the controller or processor as part of his/her tasks. If the DPO is not a lawyer, then this could involve them in the unauthorized practice of law. Although a complex area of law not easily summarized, it appears that a majority of EU member states and a significant number of non-EU states including the United States of America consider the provision of legal advice for compensation to be a “reserved” activity that can legally only be done by licensed legal practitioners. Those in jurisdictions like England with its more limited number of legal activities reserved only for licensed lawyers may not understand these legal restrictions of other countries.

Another concern with the response is that it seems to consider a more simplified legal compliance situation, not the more complex (and perhaps typical) situations where the required expertise in data protection law includes the need to understand and coalesce a large number of differing laws, regulations, guidance, and legal cases from different countries, including privacy and information security laws, data breach and cybercrime laws, consumer protection laws, labor and employment laws, etc., and possibly apply conflict of law and procedural rules. Could this complicated legal work be done without a lawyer in the DPO team? It may be but would it be appropriate for an organization to undertake that risk?

In summary, my article has suggested that privacy lawyers or licensed IS auditors would be the best professions to fill the role of DPO as specified under the GDPR. They are not the only professions who can fulfill the DPO role under the GDPR, just the best-qualified based on their varied skills as I previously explained and should be the starting point for organizations searching for a new DPO, within resource availability and financial constraints. If not designated as the DPO, these professions should at a minimum both be present as members within the DPO team, to best ensure compliance with the GDPR.

photo credit: Garen M. Two Cents via photopin (license)