An evolving function
The role of the Data Protection Officer (‘DPO’) in and around the turn of the century was very different from today’s role. In those days, the UK was transitioning from the 1984 Act to the 1998 Act just as now we’re rolling into the General Data Protection Regulation (‘GDPR’) in 2018.
Our focus then was very localised. In the UK, we thought discussing European privacy was quite exotic. Anything outside of Europe was seen as a vacuum. We had a vague notion that there might be some bits and pieces in the U.S., but we weren’t really too aware of it. We were focused on regulations, and we were discussing quite earnestly individual international data transfers – far from the connected world we have today. The actual community of people in the UK who were dealing with privacy was extremely small – it wouldn’t fill a modest conference room. Our main role was explaining what these rules were to people in various organisations, in government, and in the private sector. Over time, it became apparent that this simply wasn’t going to be enough, and the evolution of a more focused breed of privacy professionals began.
The Asian perspective
It is apparent that Asia has the potential to both fast track its evolution and even overtake where Europe is right now in terms of privacy. Europe stands at a crossroads with GDPR, which will revolutionise the role of the DPO. The privacy role is critical in an organisation, and we need to embrace that opportunity. In Asia, as people have been taking on newly created privacy roles, they immediately rush to look at the rules and understand them, to understand what the regulation means. That is correct; it is natural, and it’s the right thing to do. However, a simple focus on the rules is ultimately restrictive, and the most successful and productive DPOs are also engaged with the wider organisation, its people, technology and operations.
In Asia there is continual talk about the Internet of Things, Internet of Everything, Big Data, Cloud, Artificial Learning, Artificial Intelligence, Machine Learning. All these areas are driving quite serious questions around privacy. The privacy professional has to come up with the goods – they can’t just sit there and be able to recite the rules, as we did in the year 2000. The choice for privacy professionals is whether to take on this challenge in a passive way or an active way.
Active or passive?
There is great potential for privacy people to actually be much more active in how they nurture their careers and how they position privacy within their organisation. The privacy professional is the best placed person in most large organisations to start to articulate to the business or to management in a government organisation how the organisation can interact with individuals in a personalised way. Somebody has to explain to these large organisations what that actually means, and because we as privacy people are steeped in notions of ethics, fairness, transparency, consent, purpose, limitation and accountability, we need to explain these principles to the stakeholders in the business – including senior management, revenue generators and IT professionals.
Ethical treatment of data is going to become increasingly important. We are already engaged as privacy professionals in considering what should be done with data, rather than simply what could be done with data, which is what data ethics is all about. The ever present risk is that we limit ourselves with a focus purely on regulation. It’s not an ‘either / or’ proposition – the future privacy professional has to be able to focus on regulation and ethics in an active way.
The journey continues
We are now moving into a world that is different to that which existed through much of the 2000s. This is a richer, more diversified world. This is a world in which data responsibility is becoming a much more integral part of the senior hierarchy of business responsibilities.
It’s important to note that it’s not inevitable that privacy leaders will become the arbiters between the individual and the corporation. It’s not inevitable that we will start to engage with other questions around data ethics and how data should be used in organisations. This could go to other people within an organisation. It could go to the Chief Data Officer, the Chief Information Officer, or the Chief Marketing Officer. All these stakeholders already have opinions on these areas.
The GDPR – Challenges
Within the GDPR there’s a requirement for mandatory DPOs. Other countries have the opportunity to learn from Europe’s mistakes, rather than trying to follow this particular path.
The mandatory DPO role is based on current German regulation. There’s a bit of variation between the GDPR and the German regime, but it’s pretty much the same. The Germans had a look at what the French were doing with the old ’95 directive and thought that was okay, but it was quite centralist – you had to ask permission to do a lot of things, such as international data transfers. It was a bit too command and control. The result was that the requirement for mandatory DPOs was instituted, accompanied with less administrative requirements.
The GDPR mandatory DPO role is going to effectively be a representative of the privacy regulator in the organisation. Rather than have all the corporations come to the regulator to answer various permissions along the way, we’re going to have a role that is going to sit within the organisation where the DPOs have a level of job protection and independence. That was the original notion.
However, there still isn’t sufficient guidance. We are moving into slightly unknown territory here. The Article 29 Working Party (which is the group of European regulators) are set to produce some guidance that will give us more idea as to how this is going to work in practice. Their work is worth keeping an eye on.1
At the moment the German model may be the best guideline. The problem with the German model is this: We may want the privacy professional to have a role in the organisation where DPOs are trusted by their peers, by senior management as well as by outside individuals as being the arbiter of privacy; this role personally understands the concerns of the individual and also makes this privacy concept actually operationalised within the organisation. Such an individual has to have the trust of stakeholders in all directions. So, they have to have trust with individuals they’re working with, with the customers they’re helping protect but also with senior management.
The issue of trust
The challenge is that trust is hard to gain when you have a conflict of interest. In this case, the DPO has a level of independence, and because of this, senior management and innovators in the organisation may well pause before coming to talk to the DPO about the issues they’re facing. They will wait until they’ve formed their views, built their case and then they’ll bring it to the DPO. That gets away from privacy by design. What we’re trying to achieve is somebody in the organisation who’s really embedded in the innovation and design processes and is part of an iterative discussion.
The danger is that this mandatory DPO role is going to actually hold back the CPO role, because people are going to take on this statutory function, and in doing so, be seen as someone who is suddenly apart from the main decision-making process within the organisation. Therefore, we could regress back to the compliance and administrative mind-set of the 2000s, and move away from data ethics and innovation and this big-picture world.
Options – CPO versus DPO
The ideal situation is where the CPO is a big picture role, a person actively managing privacy across all aspects of the organization and involved in these big discussions. This could be compared to a DPO role having the more administrative focus. In Europe, we are grappling with this tension right now – there are several possible options:
Option 1: You might end up with an amalgamation of both of these roles, fulfilled by the same individual, which is the German model right now. That person might end up being CPO+, so it might be that we get these ‘super’ privacy officers.
Option 2: Both roles are fulfilled by the same individual but there’s a regression. In the end, you have this standalone, ombudsman, independent role, and the person misses out on all the interesting stuff until it’s brought to him or her at a later date, just to give some kind of sign-off.
Option 3: A schism where we end up having different roles and you have a CPO and a DPO within a large organisation. The more junior role would be the mandatory DPO role, with the CPO role being more strategic and engaging with the latest developments in the business and the C-suite. You have an ongoing evolution where the DPO becomes more ‘tick box’ and the CPO becomes a little bit ‘bigger picture’. This isn’t necessarily unhealthy.
At a crossroads
In Europe right now, we are at a turning point because, according to the IAPP, the mandatory Data Protection Officer role under the GDPR will create 28,000 mandatory DPO roles. We don’t have those people, so we’ve got to find them. We’ve then got to work out how that function works.
We have a choice. I very much hope that we still carry on this trend of DPOs being more engaged, bigger picture, and involved in data ethics and challenges. However, my fear is that we’re going to see a resource shortage of DPOs within Europe and a regression to people training up purely just to have this box-ticking role. It’s a very exciting world in which to be a privacy practitioner within Asia. There may well still be interesting lessons to learn from Europe.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. Promontory Financial Group, an IBM Company, does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
1 This guidance has now been issued: http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf