I was recently asked this question and found it hard to answer. It takes a lot to be a decent DPO. So much depends on the culture of the organisation and the resources available to the DPO. Notwithstanding the specific obligations that are set out in Section 4 of the General Data Protection Regulation, I’ve known some that operate as one-man-bands, working in virtual isolation from the rest of the organisation. I’ve known others who manage small and, in some cases, larger teams. I’ve also known privacy professionals who have directed or supported short-lived GDPR privacy transformation project teams that were created purely to help the organisation comply more completely with data protection laws and requirements.
The organisational psychologist Heather Bingham has drawn my attention to a list of common leadership styles that I'll be referring to in this article.
I’ve known privacy professionals who have failed because they have displayed a toxic mixture of some of these styles.
I’ve also known privacy professionals who have felt that they have failed because, when joining a new organisation, they had not altered what was a winning combination in a previous role to the culture that prevailed within their new organisation.
have vision and can influence and inspire others. This requires a mixture of technical skills and also a willingness to accept a relatively high privacy risk. What advice or action really is appropriate, given the circumstances? It is not always the best approach simply to reply on every piece of advice that is uttered by staff working for data protection supervisory authorities. Regulatory opinions are what they say they are – only opinions. Ultimately, only the courts can determine the true extent of privacy law. This approach requires DPOs to develop their own ethical approach to key issues of the day, and then sell this approach to the organisation. The late comedian Ken Dodd once remarked that he never took his audience for granted. For each performance he felt he needed to start afresh and woo them. The same approach is often adopted by charismatic DPOs.
Many DPOs find the time to coach their colleagues and direct reports, which is often the only way that they are eventually able to offload some their privacy work to anyone else within the organisation. Nurturing these supportive relationships takes considerable effort, though. It often takes some time for the privacy message to sink in. Some elements of privacy law, including a good few of the technical requirements that are set out in the GDPR, are not easy to comprehend. DPOs many also find great value in engaging with support networks created by organisations such as the Data Protection Forum, NADPO and the IAPP KnowledgeNets. There is safety in numbers – or at least safety in appreciating that a DPO’s approach to a particular privacy issue is very similar to that adopted by their professional colleagues.
I’ve also met privacy professionals who are just too tired to care too much about how they perform their day job. The demands placed upon them by their employers, and by virtue of the GDPR, have in some cases been overwhelming. Burnout certainly exists within the privacy profession.