Unlike many other areas of compliance, data privacy adherence is not something that can be audited once and then presumed to continue for the foreseeable future.
Data is the most voluminous, mobile, essential and potentially dangerous asset any business owns. It is created, deleted and interacted with constantly, often in new ways by new individuals.
A point in time audit is simply not suitable for continuous oversight of how data is treated.
It is this unavoidable truth that led the GDPR legislators to require organizations that process the most data, and/or the most sensitive data, to ensure that the interests of the data subject are continually and adequately represented in any and all data processing. Hence, the mandated requirement for the Data Protection Officer (DPO).
Many mandated businesses have dutifully appointed their DPO. They have consciously sought to avoid the expense, time and difficulty of hiring a new head, and distilled the requirements and responsibilities to their raw essences and found a person internally who:
This seems suitable. The rights and interests of the data subjects appear to be best protected by a person who has this experience and background, and who can monitor the organization’s activities and ensure their adherence to the rules and the sentiment of GDPR, such as the CIO, CISO, Head of Compliance, Head of Legal, even the CEO.
These organizations seem to be acting in totally good faith. After all, Article 38(6) even allows the DPO role to be secondary role on top of day-to-day operations.
But they have forgotten an underlying principle of the GDPR: the DPO must be independent.
By expecting someone who also has responsibility for the management, oversight, strategy or security of data and how it is processed (i.e. a data controller), to also scrutinise, critique and object to those same processes on behalf of data subjects is creating a conflict of interest.
It is like asking students to mark their own homework. As much as they may be obliged to remain impartial, they have their own obligations, objectives and interests that prevent them from being completely and undeniably impartial.
No matter how ethically they may think they act, it represents a compliance failure.
And legislators are hot on this. Most Supervisory Authorities, including the UK’s Information Commissioner’s Office (ICO), have issued specific guidance on how to avoid conflict of interest. While this proactive support shows that the SAs intend to help businesses avoid making this error, the flipside is that it also means they will not tolerate failure.
Indeed, fines have started to be handed to firms who overstep, intentionally or otherwise. A prime example is a E50,000 penalty for a Belgian telecoms operator whose DPO was also their Head of Compliance, responsible for the compliance, risk management and audit functions. Dispassionate and independent review of their data protection processes from a data subject’s perspective versus the business’ was deemed impossible.
CIOs who define the IT strategy, including where data resides, how it is accessed and who by, and on which platforms.
|
CISOs who build security strategies that prioritize certain measures or defending against certain cybersecurity threats.
|
COOs and CEOs who have responsibility and/or influence over how data is processed, for what purpose and through what tools.
|
Heads of legal who balance the interests of the organization against what is permissible or possible under the law. |
Heads of compliance who balance the organization’s needs and operations with the requirements of various regulatory frameworks. |
Heads of departments E.g. marketing and HR, who determine how data is processed within their teams in order to meet their objectives. |
The whole point of the DPO is to stand apart from the interests of the business and be the voice of the data subject.
How can any of these roles – all of which put the interests of the business first – be compatible with a second role that expects them to demand the business undertakes specific actions that will protect the interests of the data subject? Or even to spot the need for additional actions. External perspective is often key.
A company must appoint a DPO who is free to operate independently. There should be no pressure from management, or risk of insufficient perspective on data-centric processes or strategies that may jeopardize the continuous privacy of personal data.
If you suspect your current internal DPO appointment is putting your GDPR adherence at risk, then you should consider making a change soon.
Guarantees impartiality Appointing an external party is specifically permitted under the GDPR, due to the ability for the person to avoid conflict of interest, act dispassionately and often challenge senior management easier. |
Greater accuracy
|
Wider skillsets |
A show of trust |
Faster to appoint |
Significant savings
|
Calligo’s expert and highly-qualified data privacy consultants, who each have a unique mix of legal, technical and infosecurity expertise, are ideally suited to serve as your outsourced Data Protection Officer.
Our DPO as a Service clients range from SME to the largest enterprises, span every sector, multiple geographies and privacy regulations, and process some of the most sensitive categories of data.
Our experts provide ongoing monitoring and audits of the collection and processing of personal data, plus staff training to ensure our clients' total and ongoing protection. They also represent your organization to both data subjects and Supervisory Authorities .
To find out more about our Data Protection Officer as a Service, click the button below, or alternately get in contact directly with the team, here.
Data Protection Officer as a ServiceSidestep the difficulty of appointing internally, and the cost of hiring, with our outsourced expert service |