Organizing For Data Protection: The Data Protection Officer As An Agent Of Change
For some time now, consumers and internet users across the globe have willingly relinquished large amounts of personal information to businesses, and as a consequence, we have seen companies with data-driven business models climb to the top of the world’s most valuable brands. Private companies not storing data about their customers are almost nonexistent, and lawmakers have consequently identified the need for an updated data protection regulation.
On May 25, 2018, the new European General Data Protection Regulation (GDPR) will be enforced, and the change it instigates has been referred to as a paradigm shift. One change that will be very much felt by certain private data controllers and processors is the now mandatory appointment of a data protection officer (DPO). The GDPR recognizes the DPO as a “key player” in the new data governance paradigm and has defined detailed conditions for his/her position and tasks. The data protection officer (and their colleagues) will become part of a select group of private sector employees who have their responsibilities and tasks defined by the government, and it is interesting to contemplate whether the DPO will be able to initiate, design, drive and implement the new regulation. In other words, will they be able to act as an agent of change?
Understanding the DPO's chances of being successful as a change agent is relevant for several different reasons. First, representing a shift in paradigm for data protection, GDPR is likely to include transformative change for most organizations. Therefore, it should be of great value to understand if the regulatory authority in charge has also created the conditions for compliance with the law it put into place.
Second, the implications of not complying with GDPR are significant: Organizations in breach can be fined up to 4% of annual global revenues or €20 million, which means that change management failure will have massive consequences for many companies. Therefore, it will be of the utmost importance to understand if the DPO will actually be in a position to make data protection changes happen.
Third, for technology giants like Facebook and Google, whose primary business models are based on data monetization, the DPO might be one of the few people who are able to ensure the feasibility of current and future products (e.g., is it legally possible for these giants to even continue to operate in the same way under GDPR?).
According to the GDPR, the data protection officer must:
• Be appointed on the basis of professional qualities and, in particular, have expert knowledge on data protection.
• Not carry out any other tasks that could result in a conflict of interest. To avoid conflict, it is recommended that: A DPO should not also be a controller of processing activities (for example be the line manager of a department that processes personal data). The DPO should be a staff member not on a short or fixed term contract or an external service provider. And a DPO should not report to a direct superior but instead directly to the highest level of management.
Examples of data protection officer tasks:
• Ensure data protection compliance within an institution and help it to be accountable in this respect.
• Raise awareness of data protection issues and encourage a culture of protection of personal data within an institution.
• Give advice and recommendations to an institution about the interpretation or application of the data protection rules.
Under these conditions, I believe it will be very difficult for DPOs to act as agents of change. The GDPR criteria that state that a DPO be placed in a “non-conflicting” position excludes them from being line managers or even staff members, which means that it will be very difficult for the DPO to be seen as anything other than an outsider with a different agenda than the rest of the organization.
The fact that the DPO will report directly to top management is likely to only throw wood on that fire. It is not far-fetched to compare the situation to that of a financial auditor, where the task is to ensure compliance with accountancy practices. Accountants are usually legally required to sit outside of the organization and rarely have any other function than to control and audit the books. One significant difference from accounting, however, is that the GDPR's guidelines are much less clear than the generally accepted accounting principles (GAAP) and that data processing also happens in every department of a company.
GDPR keeps the door open for internal as well as external DPOs. My conclusion is here that in order to audit, they will need to be external, but in order to act as change agents in this complex change, they will need to be internal. I strongly believe that this will mean that controlling for GDPR will end up in the same “magic bullet” discussion that has hampered IT governance for decades and that the same illusion of control that exists when trying to control IT will hinder any real progress in data security. Imagine a large company with thousands of sales representatives handling customer information in IT systems every day. The security of that data will come from the respect that these employees have for their clients -- not from audits performed by a DPO.
So, if the conclusion is that the DPO will likely not be able to act as an agent of change under the current conditions, what should companies do? This is a lengthy topic worth more consideration, but as fines for non-compliance will start getting distributed shortly, I would suggest treating GDPR more in line with other change management processes. For example, appoint influential leaders experienced in change management to spearhead cultural change and have an internal person for the role of “data protection champion” and an external DPO as the auditor. This will divide the cultural change from the auditing and likely increase the chances for real change.
Reprodução de: https://www.forbes.com/sites/forbestechcouncil/2018/05/30/organizing-for-data-protection-the-data-protection-officer-as-an-agent-of-change/?sh=142da154db37