Perspective in Practice: Appointing a Data Protection Leader; Not a DPO
I’m frequently asked by organisations about the appropriate person to appoint as the individual responsible for data protection. By the time they ask me this question, many have already appointed a senior person in their organisation, usually under the banner of Data Protection Officer.
More often than not, I open my response by suggesting to them that they probably shouldn’t appoint a Data Protection OFFICER at all!
I’ll explain why. And, I’m going to emphasise the word ‘Officer’ with vigour.
Chapter 4 of the GDPR provides information about Data Protection Officers, with Articles 37, 38 and 39 being especially relevant.
It would be well to consider the role of a Data Protection OFFICER as being a title that should not be used lightly. In the same way that there are expectations on individuals who hold the title of solicitor, doctor, MP or police officer, for instance; a Data Protection OFFICER will be expected fulfil specific functions, and perform specified tasks and have appropriate, current expertise.
Article 37 sets out as to when a Data Protection OFFICER must be appointed. If an organisation meets any of the criteria set out at the start of that Section, it has no choice but to appoint a Data Protection OFFICER.
If your organisation does not meet those criteria, you do not automatically have to appoint a Data Protection OFFICER. But, you must, irrespective of the size, nature, sector or purposes of your organisation, have in place effective leadership and controls for the management of data protection.
Article 38, Section 6, refers to conflict with other duties. In summary, a Data Protection OFFICER should not occupy any other role in the organisation which could come into conflict with their responsibilities as the Data Protection OFFICER; this is where the challenge really starts to present itself for many small and medium-sized organisations. Perhaps especially those in the legal sector or other regulated areas, often with a relatively small senior management team; the options for internal appointments are going to be limited.
Moreover, there is a requirement in some sectors for specific roles to be established (in legal practices for instance, there must be senior officers concerned with legal practice (the ‘COLP’) and concerned with financial controls (the ‘COFA’)) in key areas of responsibility, and it is not uncommon, therefore that a person who holds one of these key roles is also initially nominated as the Data Protection OFFICER.
At this stage, I would also highlight Article 39, which sets out the baseline responsibilities of a Data Protection OFFICER, which include; ensuring that data protection regulations are adhered to, monitoring compliance with the regulations, cooperating with and making reports to regulators when necessary, providing training and advice to staff, and provide advice in respect of data protection impact assessments (data protection by design and by default).
To be able to fulfil a data protection leadership role effectively therefore, whomever is appointed must have a working knowledge of the requirements imposed by the regulation, be in a position of authority to be able to make decisions (even if such decisions mean reporting their own organisation to regulator or data subject) and must have access to all of the organisation’s personal data. In other words, it is likely to be inappropriate for a relatively ‘middleweight’ or ‘junior’ member of staff to hold the data protection leadership role; again, this brings about the likelihood of the appointment of somebody who could be in a conflicting role.
I find it helpful to set out points for consideration in the form of a fictitious scenario. In this case, let’s assume that the organisation in question is a legal practice, with 3 Partners/Directors who have an equity stake (equally divided or not) in the business, plus a Practice Manager and perhaps a dozen other staff (including solicitors and support staff). The law firm is already required to appoint a COLP and a COFA, and given that there are 3 Partners/Directors, it is not unlikely that those roles will be conducted by individuals from within that group.
It is necessary to decide who is going to undertake the role of data protection leader. Because the requirements set out in Article 39, generally give rise to the individual responsible needing to be of a senior position/rank in the organisation, it is common that the data protection leadership role will therefore, be allocated to one of these 3 individuals.
But, if One considers the letter of Article 38, which sets out that a Data Protection OFFICER must not be conflicted with other roles/functions they hold in the organisation, it’s easy to perceive that conflict is almost inevitable.
Critically, a person appointed as the [Data Protection] ‘OFFICER’ must not have overall control of decision-making around the use of personal data, especially, but not limited to aspects including, HR, IT, clients or marketing.
And so, to move towards achieving an appropriate appointment, a helpful place to start would be to consider what the role is going to entail for the actual organisation in question. That is, to identify who is responsible for what, the level of authority, their access/visibility to personal data and, their awareness/knowledge personal data regulation. The outcome of the consideration of these factors is going to immediately narrow the choice of potential appointees to the role of data protection leader.
Having identified the most suitable individual based upon the criteria, their title needs to be decided. Because of conflict with the ‘letter’ of the regulation, the organisation might choose to name the role for something other than a Data Protection ‘OFFICER’, instead, perhaps titles such as Data Protection Director or Data Protection Leader or Data Protection Manager, for instance, could be a better choice.
The ‘letter’ of the regulation aside, there is also the expectation of the regulation. Irrespective of the name of the role of the person responsible for data protection, there is still the requirement to manage personal data appropriately and effectively, which means aligning with the requirements set out in Article 38 and 39.
I have encountered a range of methods by which different organisations in similar situations to the ‘fictitious’ scenario described above have gone about resolving matters.
Some have removed the responsibility for the ‘hottest’ areas (of IT, HR, client data and marketing data) away from one of the Partners/Directors and have then appointed that individual as the data protection lead. That individual is still at ‘Board-level’ however, and so it would be well to consider additional measures to avoid or at least, manage, conflict of interest. Perhaps every 6 months or so, the other Partners/Directors will independently review the activity undertaken by the appointed data protection leader and will document their findings. And, to ensure that the review is an effective one, all of the persons conducting the review are equally trained and knowledgeable in the requirements of data protection regulation (such training being documented).
Or, perhaps, if the Practice Manager operates at a senior enough level (so that they would usually have access to all of the personal data that the business holds) maybe they could be appointed as the data protection leader. To avoid being potentially ‘shouted down’ (in respect of data protection) by stakeholders in the practice, the authority of their role and the resource that must be applied to it should be clearly documented and upheld. Moreover, the individual should receive appropriate training on a regular basis. Again, others in the business, perhaps the Partners/Directors would review the data protection work of the Practice Manager on a predetermined regular basis.
Alternatively, and sometimes in addition to the above, some organisations are sourcing support externally to augment their own internal processes and to provide guidance and monitoring to the organisation’s data protection lead. At PDA Legal, this is one of our services in which we have seen steadily growing interest in the past year or so. The principle being that an external expert organisation visits the business on a regular basis (perhaps every six months or so, according to the size and nature organisation) to review breach logs, training records, procedures for managing data protection and to provide general guidance on data protection activity. The outcome of these visits can be documented so that there is record of regular external/independent review which would, at least, be useful and, at best, provide evidence to regulator that the organisation was doing as much as possible to ensure effective data protection.
The above information is intended to help in the determination and appointment of a leader of data protection and also the support and critically, the effectiveness of that role. But, there are two critical elements that must also be appropriately resolved; communication to staff communication to clients/patients/customers as to whom to refer to data protection queries.
To that end, it would be well to make sure that all staff have received a Privacy Information Notice or at least something in writing that sets out not only their rights as data subjects, but also the person to whom to refer with data protection queries of any kind; and for the organisation to obtain a signature from the staff member to certify that they have read and understood their rights. And, for clients/patients/customers, your website, engagement letters, terms of business, etc, should make it clear and transparent as to the person with whom they should get in touch in the event that they have a data protection query