The role of the Data Protection Officer (DPO) in and around the turn of the century was very different from today’s role.And you may be hard-pressed to find someone called a Chief Privacy Officer (CPO). In those days, the UK was transitioning from the 1984 Act to the 1998 Act just as now we’re rolling into the General Data Protection Regulation (GDPR) in 2018.
Our focus then was very localised. In the UK, we thought discussing European privacy was quite exotic. Anything outside of Europe was seen as a vacuum. We had a vague notion that there might be some bits and pieces in the U.S., but we weren’t really too aware of it. We were focused on regulations, the privacy policies we need, and we were discussing quite earnestly individual international data transfers – far from the connected world we have today. The actual community of people in the UK who were dealing with privacy was extremely small – it wouldn’t fill a modest conference room. Our main role was explaining what these rules were to people in various organisations, in government, and in the private sector. Over time, it became apparent that this simply wasn’t going to be enough, and the evolution of a more focused breed of privacy professionals began.
The Asian perspective
It is apparent that Asia has the potential to both fast track its evolution and even overtake where Europe is right now in terms of privacy. Europe stands at a crossroads with GDPR, which will revolutionise the role of the Chief Privacy Officer. The privacy role is critical in an organisation, and we need to embrace that opportunity. In Asia, as people have been taking on newly created privacy roles, they immediately rush to look at the rules and understand them, to understand what the regulation means, to look at the personal data they must secure. That is correct; it is natural, and it’s the right thing to do. However, a simple focus on the rules is ultimately restrictive, and the most successful and productive DPOs are also engaged with the wider organisation, its people, technology and operations.
In Asia there is continual talk about the Internet of Things, Internet of Everything, Big Data, Cloud, Artificial Learning, Artificial Intelligence, Machine Learning. All these areas are driving quite serious questions around privacy. The privacy professional has to come up with the goods – they can’t just sit there and be able to recite the rules, as we did in the year 2000. The choice for privacy professionals and especially the Chief Privacy Officer is whether to take on this challenge in a passive way or an active way.
Active or passive privacy professionals?
There is great potential for privacy people to actually be much more active in how they nurture their careers and how they position privacy within their organisation. The privacy professional is the best placed person in most large organisations to start to articulate to the business or to management in a government organisation how the organisation can interact with individuals in a personalised way. Somebody has to explain to these large organisations what that actually means, and because we as privacy people are steeped in notions of ethics, fairness, transparency, consent, purpose, limitation and accountability, we need to explain these principles to the stakeholders in the business – including senior management, revenue generators and IT professionals.
Ethical treatment of data is going to become increasingly important. We are already engaged as privacy professionals in considering what should be done with data, rather than simply what could be done with data, which is what data ethics is all about. The ever present risk is that we limit ourselves with a focus purely on regulation, on the programs for protection of data and information security. It’s not an ‘either / or’ proposition – the future privacy professional has to be able to focus on regulation and ethics in an active way. And the Chief Privacy Officer will have to lead the way.
Data responsibilities is integral to business responsibilities
We are now moving into a world that is different to that which existed through much of the 2000s. This is a richer, more diversified world. This is a world in which data responsibility is becoming a much more integral part of the senior hierarchy of business responsibilities.
It’s important to note that it’s not inevitable that the Chief Privacy Officer and privacy leaders will become the arbiters between the individual and the corporation. It’s not inevitable that we will start to engage with other questions around data ethics and how data should be used in organisations. This could go to other people within an organisation. It could go to the Chief Data Officer, the Chief Information Officer, or the Chief Marketing Officer. All these stakeholders already have opinions on these areas.
The GDPR – Challenges
Within the GDPR there’s a requirement for mandatory DPOs. Other countries have the opportunity to learn from Europe’s mistakes, rather than trying to follow this particular path.
The mandatory DPO role is based on current German regulation. There’s a bit of variation between the GDPR and the German regime, but it’s pretty much the same. The Germans had a look at what the French were doing with the old ’95 directive and thought that was okay, but it was quite centralist – you had to ask permission to do a lot of things, such as international data transfers. It was a bit too command and control. The result was that the requirement for mandatory DPOs was instituted, accompanied with less administrative requirements.
The GDPR mandatory DPO role is going to effectively be a representative of the privacy regulator in the organisation. Rather than have all the corporations come to the regulator to answer various permissions along the way, we’re going to have a role that is going to sit within the organisation where the DPOs have a level of job protection and independence. That was the original notion.
However, there still isn’t sufficient guidance. We are moving into slightly unknown territory here. The Article 29 Working Party (which is the group of European regulators) are set to produce some guidance that will give us more idea as to how this is going to work in practice. Their work is worth keeping an eye on.1
At the moment the German model may be the best guideline. The problem with the German model is this: We may want the privacy professional to have a role in the organisation where DPOs are trusted by their peers, by senior management as well as by outside individuals as being the arbiter of privacy; this role personally understands the concerns of the individual and also makes this privacy concept actually operationalised within the organisation. Such an individual has to have the trust of stakeholders in all directions. So, they have to have trust with individuals they’re working with, with the customers they’re helping protect but also with senior management.