Friday 21 August 2020

What mixture of leadership styles should a decent data protection officer display?


I was recently asked this question and found it hard to answer. It takes a lot to be a decent DPO.  So much depends on the culture of the organisation and the resources available to the DPO. Notwithstanding the specific obligations that are set out in Section 4 of the General Data Protection Regulation, I’ve known some that operate as one-man-bands, working in virtual isolation from the rest of the organisation. I’ve known others who manage small and, in some cases, larger teams. I’ve also known privacy professionals who have directed or supported short-lived GDPR privacy transformation project teams that were created purely to help the organisation comply more completely with data protection laws and requirements.


The organisational psychologist Heather Bingham has drawn my attention to a list of common leadership styles that I'll be referring to in this article.


I’ve known privacy professionals who have failed because they have displayed a toxic mixture of some of these styles. 


I’ve also known privacy professionals who have felt that they have failed because, when joining a new organisation, they had not altered what was a winning combination in a previous role to the culture that prevailed within their new organisation.



Some organisations have a very hierarchical and deferential culture. Job grade is seen as more important than actual technical knowledge, so the purpose of the DPO may be primarily to reduce quite complicated concepts to simple PowerPoint presentations for more senior people with little technical knowledge to skim read and formally approve whatever recommendations the DPO had drafted. The autocratic DPO may exist because virtually no one else in the organisation has sufficient knowledge – or interest – in data protection matters, so their decisions will be very rarely challenged. While competent DPOs may have the technical knowledge and experience to make quick decisions quickly, they can also easily be overwhelmed with requests for advice and support. It’s hard to motivate staff in privacy teams if all the decisions are going to be taken by an autocratic DPO. 



Great DPOshave vision and can influence and inspire others. This requires a mixture of technical skills and also a willingness to accept a relatively high privacy risk. What advice or action really is appropriate, given the circumstances? It is not always the best approach simply to reply on every piece of advice that is uttered by staff working for data protection supervisory authorities. Regulatory opinions are what they say they are – only opinions. Ultimately, only the courts can determine the true extent of privacy law. This approach requires DPOs to develop their own ethical approach to key issues of the day, and then sell this approach to the organisation. The late comedian Ken Dodd once remarked that he never took his audience for granted. For each performance he felt he needed to start afresh and woo them. The same approach is often adopted by charismatic DPOs. 



Some DPOs focus on outcomes. Teams must strive to work harder each year. More Subject Access Requests, for example, must be completed within the statutory time limits. Fewer privacy breaches must be identified. Records of Processing Activities must be regularly audited. A higher proportion of staff must pass the annual privacy learning programme’s knowledge test. Turnarounds for Privacy Impact Assessments must be improved, year on year. The daily grind of privacy work can be relentless, and while privacy metrics might improve, the morale of the staff at the privacy grindstone may not. 



An important way to promote accountability throughout an organisation is to educate and then devolve privacy decisions to others. This gives them an opportunity to better appreciate the privacy consequences of the decisions they take, particularly if they are then required to accept responsibility – and perhaps even apologise personally to those who have suffered as a result of their misjudgements. I’ve found that this approach also gives individuals a greater sense of pride in their daily work and in the decisions they take.  With effective supervision from the DPO, organisations can develop a strong culture of compliance that stands a good chance of being maintained when said DPO departs for pastures new.



I’ve met few privacy staff who have job profiles that are supported by comprehensive operating instructions which explain precisely how each privacy task for which they are responsible should be completed. The absence of comprehensive sets of operating instructions can lead to inconsistencies in approach within privacy teams. When Privacy Impact or Privacy Breach Assessments, for example, are carried out by different members of staff, perhaps working in different locations, a lack of clear instructions explaining how to weight particular privacy risks can result in very different sets of privacy recommendations being made. Effective DPOs will ensure that comprehensive manuals exist to safeguard against inconsistent approaches. This approach enables staff to feel more confident that they are doing the right thing when they carry out their privacy tasks. 



Many DPOs find the time to coach their colleagues and direct reports, which is often the only way that they are eventually able to offload some their privacy work to anyone else within the organisation. Nurturing these supportive relationships takes considerable effort, though. It often takes some time for the privacy message to sink in. Some elements of privacy law, including a good few of the technical requirements that are set out in the GDPR, are not easy to comprehend.  DPOs many also find great value in engaging with support networks created by organisations such as the Data Protection Forum, NADPO and the IAPP KnowledgeNets. There is safety in numbers – or at least safety in appreciating that a DPO’s approach to a particular privacy issue is very similar to that adopted by their professional colleagues. 



Some DPOs prefer an inclusive approach, where all the key decisions are taken by committees.A weakness with this approach is that key decisions can be delayed until the issues have been considered by the committee members. There is also a risk that other corporate stakeholders, if their personalities are sufficiently strong, can override the reasoned assessments that DPOs make when forming their recommendations. DPOs must always know when to accept that their advice will be ignored. But so long as this has been properly documented, and the advice had correctly interpreted the law, the organisation can’t then lay all the blame on the DPO should a data protection supervisory authority decide to take enforcement action for a privacy transgression that results from the organisation’s failure to act in accordance with the advice.



I’ve also met privacy professionals who are just too tired to care too much about how they perform their day job. The demands placed upon them by their employers, and by virtue of the GDPR, have in some cases been overwhelming. Burnout certainly exists within the privacy profession.