DPO is ‘compliance orchestrator’ under GDPR says Working Party 29

Zubin MethaFor Working Party 29 (WP29), the role of the Data Protection Officer (DPO) under the forthcoming EU General Data Protection Regulation (GDPR) is the cornerstone of accountability as well as being a real tool of competitiveness for companies.

Tasked with the implementation of accountability tools that include the policies, procedures documentation, data protection impact assessments as well as internal training for all employees entrusted with handling customer data, the DPO is more like a ‘compliance orchestrator’ in much the same way as a conductor of a symphony orchestra, such as Parsee-born Zubin Mehta, conductor of the Israeli Philharmonic Orchestra.

In its advice note to the European Commission, European Parliament and Council of Ministers, WP29 said: “While recognising the need for local customisation in certain cases, (we) would like to strongly underline that such given flexibility should not undermine the level of protection brought by the Regulation and that harmonization of a high level of protection remains the goal.”

The performance of the company or organisation in all matters relating to data protection and privacy of its customers and clients is a core activity and if handled diligently and in accordance with the principles enshrined under GDPR, the company or organisation will stand head and shoulders among its peers.

Nobel Laureate and philosopher Elias Canetti described the role of the conductor as a natural leader: “His eyes hold the whole orchestra. Every player feels that the conductor sees him personally and still more hears him…He is inside the mind of every player. He knows not only what each should be doing but what he is doing. He is the living embodiment of law, both positive and negative. His hands decree and prohibit…And since, during the performance, nothing is supposed to exist except this work, for so long is the conductor the ruler of the world.”

In much the same way the DPO is the intermediary between all relevant stakeholders such as data subjects, the organisation or business that they work for, third party partners and suppliers, the supervisory authority and regulatory authority for their industry (if they have one).

Article 35 makes the appointment of a DPO mandatory subject to objective criteria that include the volume of data processed by an organisation or company, or the nature of its activities. In cases where a DPO doesn’t need to be employed, the duties and obligations under GDPR can be fulfilled by an outsourced provider.

Article 36 enshrines the independent nature of the DPO – perhaps in a way that is very different from any other employee in the company or organisation. The DPO is entitled to expect to carry out their duties and tasks independently and uniquely not receive ‘any instructions as regards the exercise of the function.” They also enjoy special protection from dismissal.

The individual DPO is also responsible to the Board director responsible for compliance with the provisions of GDPR – which in many cases could be the Chief Executive Officer (CEO) or the Chairman of the audit and risk committee.

These ‘compliance orchestrators’ therefore enjoy a level of autonomy that many other senior managers within the company or organisation do not and as a result the role of the DPO presupposes someone of high standing, expertise and probity that’s fit to fulfil what can only be described as one of the loneliest jobs in the organisation or company given the level of severity non-compliance with GDPR can bring. In this regard, the DPO is like a ‘mini-regulator’ with the company or organisation and as a result will need to walk a tightrope in keeping their boss happy as well as the Data Protection Authority (DPA).

In the recitals to GDPR, some consideration was given as to the qualifications and experience required for someone to be appointed as a DPO.

The following isn’t to be interpreted as an exhaustive list but should be seen as a minimum requirement for a DPO:

  • extensive knowledge of the substance and application of data protection law, including technical and organisational measures and procedures
  • mastery of technical requirements for privacy by design, privacy by default and data security;
  • industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed
  • the ability to carry out inspections, consultation, documentation, and log file analysis;
  • ability to work with employee representation.

The DPO is also entitled to take part in advanced training measures to maintain the specialized knowledge required in performing their duties and over time this level of executive education provision is expected to grow in importance across the EU.

According to the International Association of Privacy Professionals (IAPP), the relationship between the Chief Privacy Officer (CPO) and DPO could be a pivotal one as CPOs are positioned as the nexus between the audit committee and board interest in data.

“The CPO and the DPO don’t necessarily need to be the same person. In certain cases it may be advantageous that they are not and even externally provided, while in other cases combining roles can demonstrate a higher standard of corporate governance. CPOs with lines into the Chief Compliance Officers are often in the best starting position to effect change, given the prescribed character of the GDPR. Plus, overarching compliance and operational risk assets are typically within easy reach,” says IAPP.

However, unless roles and responsibilities between the CPO and the DPO are clearly defined, this could lead to a source of confusion and tension within the data controller or processor.

Into the mix is also the Chief Data Officer (CDO) that may emerge as the inflection point between requirements for independence and enabling monetization of data within the company or organisation. In the absence of a CDO, the data governance committee may perform a similar task. The relationships between a CPO, CDO and DPO will be important from a risk management and business continuity perspective.

Leave a reply