The Right Thing on Tuesday

Strategic Ethics • Compliance • Privacy • Fundamental Rights • Nordic Winds • European Perspectives

Tag: dpo

  • Hats and the DPOs Who Wear Them* (Part 2)

    Before the summer break, I reflected on some recent cases involving data protection officers (DPOs) and conflict of interest. I also promised to provide some ideas on avoiding such conflicts—ideas, that is, other than the almost overly simplistic (perhaps even uninspired) solution, which is to follow the letter and spirit of the GDPR and to appoint an autonomous DPO.

    Photo: Turuncu Sakal on Pexels

    At the time of making said promise, I had no idea that the prestigious Nordjysk GDPR-Netværk—of which I am a learned member—would play straight into my hands by making the legal standing of DPOs one of the central themes of their September meeting. While tempting, I will not refer to what was discussed at the meeting, but instead put in a major plug for the Network—if you are Denmark-based and to any extent interested in data protection, I’m sure you’ll find their now countrywide, migratory events as thought-provoking as I have.

    Without aiming to be exhaustive, this post aims to provide some ideas one might consider implementing to not only make one’s privacy programme regulator-proof, but to do the right thing and for the right strategic reasons. And by the right thing, I mean not merely appointing a DPO because one has to—or because one chooses to, and then decides not to be serious about it, as illustrated by the recent case of Telenor in the Nordics.

    Disclaimer: None of the below scenarios should be construed as professional advice—let alone as solutions that will withstand regulatory scrutiny. The geographical scope of my expertise is necessarily limited, and I am not aware of any regulatory guidelines that would advocate for or validate any such solutions. What’s more, what works well as an internal control will as a rule be incredibly organisation-specific: arguably one of the reasons why regulators do not usually prescribe solutions, but prefer to interrogate them instead.

    𐚁

    The External DPO

    This is a solution chosen by many organisations. A small company, or public office such as a municipality might lack the organisational capacity or budget for a full-time DPO position on their staff, and choose to procure it as a service. This setup can be good for independence—particularly if the contract owner is the CEO (or mayor). The solution can also foster well-working methodologies and templates: the External DPO will often use the same approach across clients, and so they will ideally propose solutions that have been tried and tested across organisations.

    On the flip side, the External DPO will not be as close to the organisation’s processess, and people, as “one of their own”—their advice may be taken less seriously as they are “just a consultant”. They may inevitably be perceived as less invested in the corporate strategy than a colleague.

    I have met more than one (actually: two) External DPOs who render their services to over a dozen organisations—which might bring one to question how well they may be able to understand each of their clients’ specific data processing needs. Also: what percentage of their time can a guru spread so thin dedicate to any single client? This is the dilemma of the “part-time DPO”, which, as the above-cited Telenor case has also underlined, can become a problem.

    The Group DPO

    For subsidiaries that belong to the same group, the DPO function is often accumulated at group-level (in the parent company), or at one of the group members that for some reason wields this expertise with a comparative advantage, and provides it as a service—typically through a service-level agreement (and naturally a data processing agreement!)—to sister companies.

    At the end of the day, the Group DPO is a sub-category of the External DPO, but one with more straightforward access to internal systems and processes, and possibly stronger internal authority—particulalry if placed at the parent company.

    The Educated Friend of the DPO

    A person with comparable qualifications and expertise in the GDPR, situated at peer-level with the DPO, might be appointed as what one might call the The Educated Friend of the DPO. For example, if the DPO is part of the Compliance function, then the Educated Friend might come from HR. If the DPO is in Legal, the Educated Friend might emerge from Internal Audit.

    The point in having an Educated Friend is that they can serve as a backup for the DPO in case the latter is conflicted out from advising or acting as a control—for example, because the their own organisational unit is the data owner. The key here is to instutitionalise the solution through internal policy, i.e. to predefine the cases, and the modi operandi in which the Educated Friend will step in—what powers they will wield, the paper trail needed, &c.

    There might also be cases that cannot be foreseen or predefined in which the DPO might succumb to conflict of interest. In such cases, the highest level of management should sign off on the mandate to bring in the Educated Friend, and thereby lend the appropriate level of authority and assume the appropriate level of accountability for “temporarily displacing” the DPO.

    The Twin DPOs

    As a hybrid of sorts between the Group DPO and the Educated Friend sits the Twin DPO. For a pair of sister companies that both have DPOs assigned, a twinning arrangement might help DPOs to help each other out if one of them finds themselves in a conflict of interest. A major advantage of such a setup may be independence, as the twins will typically have different lines of management, which can serve as a safeguard against cross-company managerial meddling.

    The only major disadvantage I can think of is that such a setup may in fact be too good to be true. In my experience, integrated company groups rarely maintain parallel structures across subsidiaries with the noble aim of providing mutual oversight—if anything, such setups have a good chance of being flagged as a “redundancy”, which may be a sacred word for internal controls, but it is often synonymous with “waste” and “inefficiency” in the management dictionary (and therefore an easy target for efforts to economise).

    The DPO Team

    While some of the above scenarios might appear as ideal types (hopefully not idealistic), a common and down-to-earth solution is the DPO Team.

    While the GDPR refers to the DPO in singular, there is nothing to forbid a controller from expanding the function into a team of people—whether a hierarchical team of GDPR experts, or a matrixed or informal team of GDPR champions, or indeed a combination of both. For large companies, this will be teams of many people.

    Different team players will inevitably wield different fortes within data protection and privacy, and by the sheer act of doing so will further the capacity and authority of the DPO function. They will also bring diverging viewpoints, which can act as a natural buffer or even preventative measure against a potential conflict of interest.

    While a one-person-show DPO might easily be overruled by a powerful manager, a DPO that rallies a team of professionals will have a much better chance of remaining afloat and independent—even if, as it may occur in the real world, they happen to not report directly to the Board.

    𐚁 𐚁 𐚁

    * The title is an allusion to Texas Bix Bender’s classic gag book Hats and the Cowboys Who Wear Them (1994)—a book whose jokery, unlike the thoughtful and nuanced humour with which some of the GDPR’s provisions were crafted, was almost entirely lost on me.