5 Years of GDPR | Empowering in Practice or on Paper?
As the General Data Protection Regulation (GDPR) turns five, the European Data Protection Board (EDPB) has initiated its second coordinated action; investigating the designation and role of Data Protection Officers (DPO).
In light of EDPB’s initiative we review the influence of the DPO and how it can enable future sustainable privacy.
After the GDPR entered into force, the focus of data protection authorities was concerning “if a DPO had been appointed or not”. With this recent initiative from the EDBP, focus has definitely shifted to “how does this work in practice”.
Data protection is a crucial aspect of both public and private operations of today and the risk of data protection is rising exponentially as a consequence of the rapid digitalization. With the increased collection and processing of personal data, it has become even more essential for organizations to take responsibility for protecting the privacy of individuals.
Accountability is a further central principle of the GDPR. It requires organizations to take responsibility for their data processing activities and to be transparent about how they collect, use and protect personal data. It also requires organizations to demonstrate their compliance with the regulation’s provisions.
The GDPR introduced the role of the DPO to assist organizations in complying with the regulation’s requirements. The DPO is expected to keep up to date with any changes in data protection laws and inform and advise the organization and its employees on the GDPR’s requirements. The DPO is also responsible for conducting regular risk assessments, to identify any potential data protection risks and to provide recommendations for reducing such risks. Furthermore, it acts as a liaison between the organization and the data protection authority.
A critical role of the DPO is to monitor and advise on data protection impact assessments (DPIAs). DPIAs are assessments carried out by organizations to identify any risks associated with the processing of personal data. The DPO should be involved in these assessments and provide advice on how to mitigate any risks identified.
It is worth noting that the DPO should be independent and not be influenced by management or other parts of the organization. The DPO should report directly to the highest level of management within the organization, such as the board of directors or the CEO. This is the recommendation from the EDPB Guidelines but also a strong carrier of how important management finds these issues and, of course, the safest way to ensure that the board and management are aware of the risks at hand.
The GDPR made the designation of a DPO mandatory for certain organizations. Whether it is mandatory or voluntary, the DPO is designated for all the processing activities of an organization. The DPO can on the other hand be appointed for several organizations, provided that he or she is easily accessible from each establishment (having the DPO outside the European time zones can however be challenging).
In its first recital, the GDPR states that the protection of natural persons in relation to the processing of personal data is a fundamental right. Considering this and the accountability requirement under the GDPR, data protections risk should be measured and assessed from the risk that a data subject (whose data is being processed by an organization) cannot exercise his/her rights, and that the organization processing the personal data is unable to live up to its obligations under the regulation. In the absence of relevant data protection, risk-definition, measuring and assessing data protection risk as well as identifying and implementing sufficient risk mitigating activities can be challenging.
The DPO – A Power Role
“If management does not release the potential power and benefits of the DPO function, they risk limit the opportunity to reach long-term sustainable goals involving personal data.”
The DPO is on paper a real accelerator of privacy protection, but it is the responsibility of the organization to empower it in practice by making sure that the DPO has the right conditions to fulfill its function in relation to the processing activities in scope. It is not just about resources and competence; it is also about the DPO role from the perspective of business goals and actual prioritisation of data privacy within the rest of the organization. “Tone at the top” leading by example, as well as measuring and following up with e.g., Key Performance Indicators (KPI) can have a significant effect in boosting the DPO and the data privacy work, as well as embedding data privacy in an organization’s operations. Making data privacy part of daily operations often leads to benefits and efficiencies in areas where personal data is being used.
An important success factor for the DPO is to have clear expectations from top management on what to do and what to achieve. How such tasks and duties are to be conducted is a responsibility of the DPO and part of the role’s independence.
Empowering the DPO can facilitate compliance and become a competitive advantage for organizations and, in practice, work as intermediary between authorities, data subjects or units within an organization. This requires the DPO to be given sufficient autonomy and resources to carry out their tasks efficiently (with the help of a team if necessary). It is crucial that the DPO and his/her team is involved as early as possible in all issues related to data protection. This will promote a “privacy by design” approach and should therefore be standard procedure within the organization’s governance. However, it should not result in engaging the DPO personally in every single issue. An organization that implements a sufficient organizational framework and operating procedures, including controls related to the protection of personal data and when and how to inform or consult the DPO, will support the DPO to prioritize and assume a risk-based-approach to business operations.
The ability for the DPO to fulfill its tasks includes not only the mandate and position within an organization, but also personal qualities (integrity and professional ethics) and knowledge (about the GDPR and other relevant rules as well as the organization). According to the regulation, the DPO may fulfill other tasks and duties as long as such tasks and duties do not result in a conflict of interest.
Given the task to monitor data protection compliance, the DPO can at first glance be recognized as a role belonging to control functions. However, the organizational belonging should be assessed and decided based on the specific circumstances of the organization. In a three line of defense-model like in the financial industry, the DPO is in general hosted in the second line compliance-organization (Nordic countries) or the first line legal-organization (continental Europe). The different location of the DPO relates partly to the specifics of that organization, but also to the fact that the DPO is a fairly new and different role and that there are still struggles in identifying where it is best hosted.
From a data protection perspective, one could argue that the DPO is “second line” with its requirement on independence and monitoring and that the rest of the organization, including risk and compliance-organizations as well as audit-organizations are part of a “first line”. The reason for this is that all these units of an organization process personal data to some extent and hence are in scope of the processing operations that the DPO should cover.
Why is this coordinated action in progress and how can organizations prepare?
Since the GDPR is rather principle based, it can be challenging for an organization to find the right level of sufficient activities and priorities to reach data protection compliance and organizational targets related to personal data.
In general, the more complex and/or sensitive the processing operations, the more resources must be given to the DPO. The DPO function must be effective and sufficiently well-resourced in relation to the data processing being carried out.
There are already decisions by supervisory authorities today stating that accumulation of functions (head of compliance, risk management and internal audit) makes it impossible to guarantee independent supervision by the DPO of such units. Further, the accumulation of these functions by the same individual may lead to conflict of interests, an insufficient guarantee of confidentiality and non-disclosure towards employees, which clearly becomes in contradiction with the regulation.
The EDPB coordinated action will most probably lead to clarifications and alignment regarding the DPO function but also to enforcement and fines. In order to be prepared, organizations can assess and document compliance with the requirements related to the DPO. Where gaps are identified, actions should be taken to close such gaps and to ensure a long-term sustainable privacy organization.
“The EDPB is following up on the designation and role of the DPO. This will serve as an important indicator of how well and sustainable data is managed in an organization. We will also witness the empowering of the DPO to the benefit of sustainable privacy protection.”
The role of the DPO is crucial in ensuring accountability in organizations. However, the success of data protection is dependent on data protection being embedded in the practices and culture of an organization. It is further dependent on accountability and responsibility for data protection compliance vesting in all persons and functions of an organization. This second coordinated action by the EDPB should be viewed in this perspective; securing a corner stone of the GDPR by making sure the DPO is as empowering in practice as intended.
For further information please contact:
5 Years of GDPR
May 25th, 2023, marks the five-year anniversary of the enforcement of GDPR. This spring we reflect and review on the first comprehensive privacy regulation in a series of publications and events. Stay tuned for insights and perspectives on expectations vs. realties of a sustainable privacy arena, the legal ecosystem of GDPR, the future role of tech and much more.