In the first part of this blog, I would like to go over the DPO's responsibility and whether he can be held personally liable for disasters in the organization he works for. In the second part I discuss his modus operandi and the many talents a DPO must have: legal knowledge, ICT knowledge, business skills, risk management expertise, ability to communicate information to senior management and social skills.
Responsibility and liability
As you may know by now and will read in most articles on GDPR: Data Privacy is Serious Business! And, as Franklin D. Roosevelt once said: 'Great power involves great responsibility'.
It is no different for the DPO or the role he adopts. This raises a great many questions about the Data Protection Officer's personal liability in cases involving breaches with serious consequences. Imagine you're the DPO in an organization that has lost all its patients' medical information, or of the government organization that sees the data from its citizens presented - locally, regionally or nationally - at extortionate prices on some dubious forum.
That fact in itself is enough to give a DPO sleepless nights. But what if the Data Protection Authority (DPA) or a judicial authority hold the organizations and those immediately responsible liable?
An organization's directors cannot evade their personal responsibility and can only protect themselves by ensuring that disasters do not occur. But directors receive advice from their DPO. The personal liability in the GDPR is currently still a gray area. WP29 (the European GDPR work group, named after article 29 of the GDPR) will need to clarify this subject in the upcoming months. However, these organizations have already expressed that they would 'not target the DPO', should a disaster involving Data Privacy arise. Generally, the expectation is also that the upcoming clarification will protect the DPO against personal liability and, therefore against being fired based on the advice given as DPO.
There is, however, one significant BUT. If the DPO systematically provides incorrect or unsubstantiated advice or fails to provide independent advice (i.e. if the DPO provides advice that benefits the company rather than objectively protecting data), then the DPO is, in all probability, personally liable.
Correctly substantiating advice, keeping a detailed log of the advice given and the decisions subsequently made on the basis of that advice and regularly obtaining external advice would therefore seem appropriate. This external advice may be provided by lawyers, specialists from the sector or specialists from ICT or other sectors for projects involving ICT. And let's not forget the DPA, who will be given an advisory and preventative role in line with the State Secretary's intentions.
The DPO's great responsibility and the possible liability mean that his role and modus operandi are not straight forward. He will often have to play the "policeman" and go against organizations' wishes to circumvent the GDPR. He sometimes delivers difficult messages, but naturally doesn't want to take the blame for failed projects or for weak business growth.
Besides the fact that a DPO needs to "live and breathe" the GDPR in all its aspects, he needs to also have a number of specific talents and skills in order to maintain the delicate balance between company interests and the "Data Privacy Rules":
Risk Management know-how
Ability to report to Senior Management
Please find set out below a summary of each of these six aspects.
1. Legal Know-how
The GDPR is legislation with interpretations, rulings, amendments and contractual dos-and-don'ts. Some legal knowledge is certainly required in order to confidently converse with lawyers. Moreover, the introduction of the GDPR will be followed by legal evolutions; Belgian privacy legislation will also probably see some changes. Future rulings rendered a chamber or a court will affect the further digitalization and the impact thereof on new and existing business processes.
2. ICT Know-how
Regardless of the organization, which currently implemented business process doesn't affect ICT or doesn't require ICT tools or interventions? A DPO cannot have a compromising role in the organization. This means that your DPO will probably not come from the ICT department. But who, then, can take on this role? For a while now, Business & IT Alignment, in all its complexity, has formed an important link in organizations. We feel that the future DPO should have the necessary knowledge and experience in this area; to ask the right ICT questions and not accept the first - often unsubstantiated - answer as being the truth. It is crucial to be creative in business processes as well as in ICT architecture. Certainly if you don't want to be the kind of DPO who is only reprimanding others, rejecting ideas and wandering about in the organization like a paria who everyone would rather see the back of.
3. Business Know-how
Naturally, the same applies to business know-how. The monitoring and sometimes reprimanding role of the DPO should also add value to an organization. An understanding of the ins-and-outs of business will help him comply with the GDPR and, at the same time, steer the creative thought process within the organization in the right direction, rather than just ending it.
4. Risk Management
This is not new, but it hasn't become easier under the GDPR. Risk Management is more than keeping a risk log, and just presenting an Excel sheet will not suffice for the GDPR. You must show that you are dealing with the risks you have identified. You must show improvement and that risks disappear or that their impact and likelihood of risks arising is getting less.
This will only be possible if you are able to correctly assess risks after having identified them. What is the impact if this risk becomes an issue and what is the likelihood of this happening? Both questions determine the risk factor that you need to compare to your risk appetite. Which risk does or doesn't our organization want to be aware of? The security policy is drawn up in consultation with the management council and can differ greatly from organization to organization. Hacking the firewall might be a small risk for one organization, while a specialist may take a completely other view. It is therefore also recommended to obtain expertise from one's own environment or from external sources. Moreover, the DPO is best advised to engage the advice of others to assess the risks. Just ask several players what their ideas are with regard to the impact or probability of a certain risk. You will find that this results in balanced number that your business can then act on.
5. Ability to report to Senior Management
Due to the DPO's operational role, the DPO needs to report to the highest organizational body. Specific rules apply. There are management teams that work very formally and that closely follow a schedule, and there are those that adopt a pragmatic approach to meetings. Sometimes a DPO needs to give presentations, whilst other board members may expect to receive a comprehensive file, including every possible solution and consideration x days before the meeting.
A DPO needs to be aware of this rules and needs to adjust to the system. Anyone who violates these unwritten rules, will have an extremely difficult time getting a foothold during a meeting. And, as the GDPR so clearly states, an awareness and an ultimately 'integrated approach to Data Privacy' at the highest level, is what a DPO wants to achieve within the organization.
6. Social skills
And finally, we wish to add that the DPO acts on the basis of legislation that has been imposed on companies, rather than requested. But frustration with the 'invisible legislator' doesn’t get us very far. It is a human reflex to equate the person charged with the implementation with the legislator. The DPO can quicken this process or use his social skills to differentiate the person from the professional task at hand. He will ensure that the meetings are conducted 'with guns drawn' and that the job eventually can eventually count on more support. Your organization's goal is to make the organization a more 'Data Privacy Minded' organization.
"Think twice before you act" is some good advice we want to share with you. The organization needs to think long and hard who should be entrusted with performing the DPO role: someone within the organization or an external consultant. Your DPO's modus operandi will determine how you start new initiatives in future, whether you get receive quick and creative answers and how you, as a "Data Privacy Minded" organization, will gain the trust of the DPA.
The GDPR doesn't need to be the umpteenth standard to threaten your business model. If you act wisely, this legislation will open creative doors to a responsible way of utilizing or marketing your available data. I predict an exciting period for businesses that are committed to Data Privacy and that make the right choices such as who to appoint as DPO.
Gert Maton, Senior consultant
If you would like to find out more about GDPR or you want us to help you prepare your company for May 2018, contact me on Gert.Maton@realdolmen.com.