Wednesday 9 May 2012

Whither the Data Protection Officer?

If you put your ear really close to the ground, you can detect a growing sense of unease with the proposal in that Regulation to require enterprises over a certain size to appoint Data Protection Officers. The unease is growing at such a pace that soon, I predict, more people will be openly questioning the Commission’s proposal, as we know it and apparently love it.

Today’s Queens Speech during the State Opening of Parliament, for example, mentioned proposals that the British Government has to reduce more of the red tape that surrounds businesses. And all over Europe, people are wondering whether the German model, which sets out strong requirements for Data Protection Officers if firms employ more than 10 staff, really is appropriate in this day and age.

As is so eloquently expressed in that popular quote: "You can put lipstick on a pig, but it’s still a pig."

Let me explain.

The argument runs that what is really required is that enterprises take data protection really seriously. In other words, it should be a duty of someone at the highest level of the enterprise to manage. Board members should be regularly held accountable for the data protection practices used in the organisation.

The argument also runs that some Boards evade their proper data protection responsibilities, by delegating the data protection stuff to a junior employee who is hardly ever in contact with people at Board level, or even to people who report to people at Board level. So these DPOs are, in effect, used as firewalls, enabling the enterprise to carry on regardless, while some poor inoffensive fall guy carries the can each time something goes wrong.

Accordingly, while enterprises ought not be prevented from appointing DPOs, if that’s what they want and its possible to find someone who has done more than read the odd ICO press release, the appointment of a DPO should not in any way reduce the level of accountability that the enterprise’s Board has to ensure that proper data protection practices prevail.

I predict that there will be moves from some of the more enlightened Member States to allow data controllers the option of appointing DPOs, but not to require them to make such appointments. I, for one, think that’s an extremely astute idea. It ought to cement the accountability principle at the highest level, and make enterprises fully accountable for their actions and also responsible for the way they decide to assess how they are accountable.

This option also has the flexibility of allowing the Board more discretion when assigning the data protection compliance responsibility to someone. It means that, rather than being a mere technocratic functionary, they are more likely to be a very senior person within the organisation. When we look at the American model, the US laws don’t require the appointment of a DPO, but very senior Chief Privacy Officers are all over the place. Compare that with the UK – how many DPOs are that senior in British companies? Even in Germany, the legal requirement to appoint a DPO has, in practice, resulted in individuals with very different levels of experience or seniority being appointed to carry out the role. Yes, some are senior. But, equally, others are not.

So, battle lines are forming. Both sides share the same objective – that of delivering high standards of data protection. But, the argument runs, how should these standards be delivered? By employing someone who is seen as the Regulators’ nark, as their role is extremely specific, and enshrined in law? Or, would it be preferable to enable Boards to decide for themselves how to comply, perhaps by employing the services of “a guide on the side?” This option appeals to my more pragmatic nature.

Let’s see how this argument unfolds. We data protection professionals may well have a variety of options available as we consider how to develop what is fast turning into a career (but not necessarily a job) for life.

Image credit: