When it comes to privacy programs, though the organization itself remains accountable, the direction ideally is set by the data protection officer, or office. Where the organization selects and operates the car, so to say, the DPO functions as the gauges, traffic sign recognition, warns for risky situations like seatbelt indicators, lane departure or near collision warning systems do, and indicates whether the road might be slippery from frost. A lot of useful information, helping the driver become more responsible, maintaining control, so to speak.
The EU’s GDPR wasn’t the first to require a DPO, but it did wonders for the profession by requiring such a position at scale. The EDPB’s predecessor, the Article 29 Working Party (WP29) published rather definitive guidance on the function (PDF Alert) back in 2016, but the European Commission’s guidance dates back at least until 2010. In fact it was among the first few pieces I ever wrote since joining Gartner, shortly after the GDPR text was finalized in 2016, like a Toolkit: Privacy Officer’s Job Description to get in touch with one, or how their First 100 Days could look like (Gartner paywall for clients). So little to nothing of this is new, and yet…
We had to get a grip on these developments and not everything was clear, granted. The talent shortage though was obvious, and back in 2016 I predicted that by now, ‘30% of all privacy officers would be hired “as a service” ‘. Seems not precisely so, though looking at our global SRM survey results it has grown considerably: in 2019 25% of respondents indicated to (also) make use of DPOaaS, whereas in 2021 this has grown to 45%! (Obviously, DPOaaS have usually more than 1 customer).
BUT WE’RE STILL NOT GETTING IT RIGHT.
The need for a DPO is increasing worldwide. In fact, after a small rush in Brazil, currently the Chinese PIPL puts even more stress on the job market. But that’s not what I’m wondering about. I’m more surprised at the number of organizations I meet that either have no dedicated privacy officer, or have appointed just some existing function in the dual role. In such cases you see a legal (only) approach, or worse; the CIO or CISO is to wear a double hat. Trust me, I’ve been in such a situation once and it wasn’t easy. Regulatory enforcement is showing something similar:
– In 2019, the Spanish AEPD sanctioned Glovo -as far as I can see the first hit on this topic- EUR 25.000,- for not having a DPO.
– In 2020, double that amount was put as a fine by the Belgian DPA against Proximus for the same.
– The AEPD followed quickly with a similar sanction of EUR 50K to Conseguridad, again, for not having appointed a DPO where there should be one.
– And they did not stop there. The AEPD also brought warnings and slaps-on-wrists for not having a DPO against(i) public(ii) / government(iii) entities(iv), as well as to others.
But now we’re moving into more detail. Mainly the Luxembourg DPA shows us in 2021 that even if you have appointed a DPO, it is critical to ensure it was done properly, in other words, no windowdressing. Examples? Glad you asked!
– A DPO shall be correctly equipped and funded. Without the necessary resources and organizational framework, their tasks can’t be carried out appropriately. Or it’s EUR 18.000,-
– A DPO will have to be invited to all relevant meetings, and they should ideally report directly to the highest level of management. Or it’s EUR 15.000,-
– A DPO will have to be: appointed based on professional qualities and experience (i), involved in all data protection matters (ii), have the necessary resources (again, iii), and monitor compliance with the law and with company policy (iv). Or, it’s EUR 13.200 or more.
– A DPO will have to be known, easily contactable, and shall have no conflict of interest. Quite a responsible job, ey? AND:
– Did I mention the contact details must be easily found? That they have to be involved in ALL data protection issues, and should be able to on their own initiative freely access every nook and cranny of the organization? What about duly monitoring compliance? AND HAVE THE NECESSARY RESOURCES? Four things, and more. Or it’s again EUR 18.000,-
But it shouldn’t be about the sanction, this is no matter of money. This is a matter of intent.
A DPO is not that type of dead fox you’d wear over your shoulders 50 years ago for fashion purposes. If you want everyone in your organization to do what they’re good at, why not let the DPO do the same? This is no compliance manner either. It requires first and foremost the acknowledgement that a privacy professional is there FOR YOU. To help the organization reduce risk, enhance customer trust levels (and retention if you get it right), help facilitate and enable a more deliberate, intentional way of doing business. Preventing people from having to see their information being abused which leads to their loss of dignity or worse, autonomy, while preventing you from running around like a headless chicken whose mind is on nothing but more, more, MORE over the backs of human beings.
Was that too harsh? Well, you don’t ignore your near-collision warning system either do you? That’s a wake up call.
And if you feel that’s not you, then you are my hope. Get it right. Celebrate the privacy professional and let them do their job as freely, well-funded and vigorously as possible, so you can safely and swiftly do yours.