The issue of trust for the DPO
The challenge is that trust is hard to gain when you have a conflict of interest. In this case, the DPO has a level of independence, and because of this, senior management and innovators in the organisation may well pause before coming to talk to the DPO about the issues they’re facing. They will wait until they’ve formed their views, built their case and then they’ll bring it to the privacy office. That gets away from privacy by design. What we’re trying to achieve is somebody in the organisation who’s really embedded in the innovation and design processes and is part of an iterative discussion.
The danger is that this mandatory DPO role is going to actually hold back the Chief Privacy Officer role, because people are going to take on this statutory function, and in doing so, be seen as someone who is suddenly apart from the main decision-making process within the organisation. Therefore, we could regress back to the compliance and administrative mind-set of the 2000s, and move away from data ethics and innovation and this big-picture world.
Options – Chief Privacy Officer versus Data Protection Officer
The ideal situation is where the Chief Privacy Officer is a big picture role, a person actively managing privacy across all aspects of the organization and involved in these big discussions. This could be compared to a DPO role having the more administrative focus. In Europe, we are grappling with this tension right now – there are several possible options:
Option 1: You might end up with an amalgamation of both of these roles, fulfilled by the same individual, which is the German model right now. That person might end up being CPO+, so it might be that we get these ‘super’ privacy officers.
Option 2: Both roles are fulfilled by the same individual but there’s a regression. In the end, you have this standalone, ombudsman, independent role, and the person misses out on all the interesting stuff until it’s brought to him or her at a later date, just to give some kind of sign-off.
Option 3: A schism where we end up having different roles and you have a Chief Privacy Officer and a Data Protection Officer within a large organisation. The more junior role would be the mandatory Data Protection Officer role, with the Chief Privacy Officer role being more strategic and engaging with the latest developments in the business and the C-suite. You have an ongoing evolution where the Data Protection Officer becomes more ‘tick box’ and the Chief Privacy Officer becomes a little bit ‘bigger picture’. This isn’t necessarily unhealthy.
At a crossroads
In Europe right now, we are at a turning point because, according to the IAPP, the mandatory Data Protection Officer role under the GDPR will create 28,000 mandatory DPO roles. We don’t have those people, so we’ve got to find them. We’ve then got to work out how that function works.
We have a choice. I very much hope that we still carry on this trend of DPOs being more engaged, bigger picture, and involved in data ethics and challenges. However, my fear is that we’re going to see a resource shortage of DPOs within Europe and a regression to people training up purely just to have this box-ticking role. It’s a very exciting world in which to be a privacy practitioner within Asia. There may well still be interesting lessons to learn from Europe.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. Promontory Financial Group, an IBM Company, does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
1 This guidance has now been issued: http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf