As I write this blog post, it’s nine months to the day until the General Data Protection Regulation (GDPR) comes into force in the UK on 25th May 2018.
The title of this article works if you know the pop single “Murder on the Dance Floor”! It struck me as surprising when earlier this month, a hard working diligent European (mainland) colleague who has been “gifted” the role of Data Protection Officer (DPO) uttered the phrase: “After 25th May, I will be murdered :)”
The context of this utterance was sparked by an inter-colleague exchange of a recently released GDPR infographic from the EU Commission. I have been in the industry long enough to know that sharing is vital and never to assume that people are seeing the same volume of information coming across their desk as I am. By now, I’ve amassed quite a plethora of referential resources.
The preceding comment from my earnest colleague was as follows: “I’m afraid I’m not so optimistic about our preparations to GDPR.” On the one hand, I have learned that many mainland Europeans lack as broad a sense of humour as the Brits or the Irish. They take statements seriously and are very dry. No criticism intended. This is just an important contextual cultural observation that has been invaluable in changing my own communication approach when dealing with European colleagues. It can be detrimental to your success at attempting to implement any change programme if you misjudge your audience and their absorption style.
I’m sure there are many of you who feel likewise concerned about your organisation’s current level of commitment or preparedness for the forthcoming GDPR. In this era of mindfulness, it is vital to take a moment and breathe. My response was as follows, and I would give the same advice to anyone else with similar concerns: “If the business makes decisions that increase their risk – and we have provided the right advice to the contrary – our job is to document this for future evidence.”
The advice was well received, but the interchange got me returning to thinking about ongoing concerns about professionalism and the role of the DPO.
There has been much written about the role of the DPO – and with our narrowing window of time, it is worth revisiting some of this. The DPO is intended to be a person who is formally tasked with ensuring that an organisation is aware of, and complies with, its data protection responsibilities. Reality means that these are two very separate things – awareness and compliance. Let’s not kid ourselves as to the likely success of a DPO achieving both, simultaneously – and specifically by 25th May 2018.
Side note – always watch out for people pontificating about new legislation if they are unable to quote chapter and verse. On the one hand, the encouragement is always to not do so in order to ensure an organisation is not baffled by complexity. However, that leaves a wide-open playing field for snake oil and charlatan behaviour, something the IT industry is prone to with alarming consistency.
I have sat in many auditoriums and attended many workshops, seminars and conferences at which people had blatantly not read the relevant reports, standards, or legislation and should have been challenged for their lack of professionalism. Someone recently tried to challenge me that the regulation was unclear as was the intended implementation expectations. If you read the readily available Regulation and then go on to study the understanding that is required of a practitioner with other experts in the field, clarity exists in abundance.
In this instance, the rhetoric has consistently implied that a DPO should be provided with sufficient resources to perform the role and should be suitably qualified to perform the role. The relevant area of the GDPR is Article 37:
The DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
This is supported by Recital 97:
“a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. … in an independent manner.”
I have had the pleasure of working with many longstanding data protection officers (the old flavour) over the last 20 years. There has been data protection legislation since the early 1990s. These individuals should be the natural choice, but the spin merchants have been consistently pedalling the notion that over 75,000 DPOs will be required worldwide.
Are all the existing DPOs immediately redundant? I think not. You cannot become an “expert” in a law that is yet to be in force overnight. But you can be an expert in the “practice” of existing “data protection law,” and that is what GDPR requires.
GDPR also proscribes that the DPO must maintain her/his expert knowledge. Experience is certainly one way of having done so. Given that GDPR is very focussed on evidence-collection in order to prove compliance, undertaking a GDPR Practitioner course would be a good (though not mandated) option. Taking a law degree might be a step too far.
Nonetheless, there should be an agreed upon mechanism for measuring the skills and abilities of DPOs – ASAP! In the information security world, we have been tackling this through the existence of a longstanding Common Body of Knowledge (CBK) and the creation of a competency assessment framework approach through awarding bodies, such as the Institute of Information Security Professionals (ISSP), the BCS – The Chartered Institute for IT, and APMG.
The International Association of Privacy Professionals (IAPP) would be the natural equivalent for DPOs. However, as with many areas of qualification within the information space, there is already noise, confusion, duplication and complexity – much of which will confuse both recruiters and organisations alike.
The intent of the regulation is for a wider adoption of the requirements and expectations for personal privacy afforded to individual data subjects. Therefore, more organisations should undertake serious consideration(s) with regard to their data collection, use, handling, storage, processing, sharing etc. For many younger organisations for whom this approach is new, it may be extremely challenging to find an existing employee who satisfies the prerequisite requirements of being a DPO. (Repeat after me – expert knowledge of data protection law and practices.) This may mean that such organisations have to engage outside consultants, at potentially significant expense, to fulfil this role.
To return to our theme – whilst the Directive does not offer DPOs any special protection, murder is unlikely! The DPOs independence is taken seriously, as the GDPR expressly prevents dismissal or penalty of the DPO for performance of their tasks and places no limitation on the length of tenure. Therefore, a DPO cannot be liable under the GDPR. Consistent with the controllers’ and processors’ obligation of accountability under the GDPR, they are the ones that carry responsibility and, therefore, liability for non-compliance under the GDPR.
An organisation should not be able to take disciplinary action against a DPO nor can they terminate the DPO’s employment merely because the DPO makes life harder for the organisation. If an organisation could do so, it would leave the DPO unable to act in a truly independent manner. Thus, an organisation cannot instruct the DPO in the performance of their duties, which include “secrecy or confidentiality” as detailed under Article 38(5) which could potentially create a conflict for a DPO. Consequently, many organisations choose to engage an outside consultant as a DPO.
The GDPR is silent on whether individuals, or professional firms acting as a DPO, can be subject to criminal, administrative and corporate liabilities. In other compliance areas, such as competition, anti-corruption and export control laws, compliance officers which take on roles that are broadly similar to DPOs are not subject to individual liabilities of any nature, except in cases of wilful misconduct, gross negligence or breach of company policies or applicable law, just as any other employee would be.
Indeed, personal liability of the DPO would be inconsistent with their role under the GDPR as advisor to the controller or processor. Consistent with the controllers’ and processors’ obligation of accountability under the GDPR, it is the controllers or processors that are the decision-makers and that bear ultimate legal responsibility and liability for non-compliance under the GDPR.
DPOs may be subject to national offences. However, it is unlikely that, in practice, the DPO would be designated as an officer or a director of a company in the same way that the CEO and CFO would be. Nonetheless, those of us in independent consultancy roles providing “DPO as a service” will no doubt see expectations for increased personal and professional liability insurance in the coming months.
What protection would the designated professional membership body provide for an individual member? This is an area of professionalism in the information space that has yet to be effectively tackled. But I wonder – is there a future world in which DPOs will exist under the umbrella of Compliance Officers? Wouldn’t that be more logical?
Leaving the dance floor with more questions than answers. :(
About the Author: Andrea C Simmons, FBCS CITP, CISM, CISSP, M.Inst.ISP, MA, ISSA Senior Member is a director of Simmons Hall Bishoff Wolfe & Partners – https://www.shbwpartners.com/. Andrea has more than two decades of direct information security, assurance and governance experience, helping organisations establish appropriate controls, achieving and maintaining security certifications in order to ensure information protection is adequate for their crown jewels. Her work has included development of a trademarked and patentable enterprise governance, risk & compliance (eGRC) approach to addressing business information governance needs. Whilst also spending the last 8 years researching Information Assurance, Andrea has published two security management books. She can be reached at email@example.com.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.