Companies Need EU Data Protection Officers With Business Acumen

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Companies doing business with the European Union have less than a year to comply with a new privacy regime, and one requirement in particular—that businesses have a designated “data protection officer"—is trickier than it sounds.

Finding qualified DPOs poses a significant challenge for companies. The International Association of Privacy Professionals estimated that companies will need to hire 28,000 DPOs in Europe and the U.S., and 75,000 total worldwide, to meet their DPO compliance obligation. The process is even more stressful for companies trying to meet the EU’s General Data Protection Regulation (GDPR) deadline because, official guidance on which DPO requirements will satisfy EU officials and country privacy regulators has been limited.

Companies should hire data protection officers who have a savvy business sense and good management and communication skills—not just legal know-how, privacy professionals told Bloomberg BNA.

Businesses are scrambling to meet the May 25, 2018 effective date for the GDPR, which mandates that they hire a DPO if their “core activities” involve processing that requires “regular and systematic monitoring of data subjects on a large scale,” or large-scale processing of special data categories that reveal biometric, racial, religious, or political characteristics. The requirements aren’t confined to EU companies but cover any company with business operations in the bloc or that focus on EU customers.

Amid that uncertainty, privacy pros told Bloomberg BNA that ensuring a DPO has business skills is crucial. An effective DPO can both help the organization avoid crippling GDPR fines and give the company a competitive advantage with an innovative and forward-looking privacy policy, they said.

The GDPR will bring stricter standards for user consent to the use of their personal data, mandatory data breach notification, and fines as high as $20 million euros ($22.4 million) or 4 percent of a company’s annual worldwide income. Given the high stakes, appointing DPOs that are acceptable to privacy regulators and able to successfully navigate complex compliance waters is imperative, they said.

Companies will need to hire DPOs to act as business leaders, Bojana Bellamy, president of the Centre for Information Policy Leadership in London, told Bloomberg BNA. DPOs should play an integral role in business decisions and have a seat at the table with C-suite-level executives, she said.

DPO as Business Leader

The GDPR requires the DPO to “directly report to the highest management level of the controller or the processor.”

Monika Kuschewsky, privacy partner at Squire Patton Boggs LLP in Brussels, told Bloomberg BNA that what the GDPR text means with regard to requiring DPOs to have access to the “highest management level” in a company isn’t clear.

Bellamy said that regardless of any ambiguity, it is clear that the DPO should have “more authority, more seniority, and more impact” than it does today, especially in many European companies where the DPO is often a mid- or junior-level role, she said.

This means the DPO must report to “the CEO or chief operating officer who controls the collection and use of personal data or processes the data at a controller’s direction,” Winston Maxwell, privacy partner at Hogan Lovells LLP in Paris, told Bloomberg BNA. That isn’t the case in most organizations today, where DPOs usually report to a chief compliance officer or general counsel, he said.

In very high levels of the company, “business skills are critical” to be a successful DPO, Bellamy said.

Detlev Gabel, privacy partner at White & Case LLP in Frankfurt, told Bloomberg BNA that companies should regard DPOs as a metaphorical profit center, not a cost, because data protection compliance can pay dividends.

Maxwell, a co-creator of a joint education program that Hogan Lovells and the Paris Law School Pantheon-Assas, which was launched to certify individuals to be DPOs in the GDPR compliance scheme, said that management skills training is important because many existing DPOs “come from the legal department and are relatively junior.”

Avoiding Marginalization

DPOs coming from the legal field who aren’t well versed in business can quickly marginalize themselves, Maxwell said. Lawyers tend to focus too much on the personal data risks that proposed actions may create, rather than considering a larger picture and giving management options to move forward, he said. Instead, DPOs need to be “a valuable discussion partner when the business is considering different solutions, none of which are likely to be perfect.”

Bellamy said that rather than focusing only on the problems of any project, the DPO must be a solution-maker, always thinking about how to achieve goals while protecting people’s information. If they are “nay-sayers” they will lose trust in the company and be marginalized.

Gabel said that to be successful on the business side, a DPO needs to be a facilitator and a communicator because they need to be able to bring everyone in the business on board to focus on privacy and data security.

Bellamy said a 2016 Centre for Information Policy Leadership report on the skills important for a DPO to be effective focuses on those communication and external engagement skills. An effective DPO under the GDPR scheme will need to be a business leader in working both inside the company and as the company’s high level representative with external stakeholders, such as public interest groups and other companies, as well as being the company’s primary voice in relations with privacy enforcement authorities.

Acceptable Qualifications Unclear

The GDPR provides general information on the qualifications that a DPO should have but doesn’t lay out credentials in any detail. In three articles, it explains which organizations need to hire a DPO and describes the position and the tasks the DPO will perform.

The GDPR only provides that a DPO must “be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability” to perform tasks required by the GDPR.

The Article 29 Working Party, which is made up of privacy regulators from the 28 EU countries, has issued guidance on DPOs that attempts to add details to the GDPR’s ambiguous and vague provisions.

The guidance said that the required level of expertise “must be commensurate with the sensitivity, complexity and amount of data an organisation processes.” DPOs also “must have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR,” in addition to understanding a company’s particular business sector, information system, and data protection needs, according to the WP29 guidance.

Gabel said that DPOs need to understand a respective business’s processes, have insight into what the company is doing with data, and know where to look for potential privacy skeletons in the closet.

The regulators’ guidance is very detailed, Gabel said, and has a relatively low threshold for hiring DPOs. “The GDPR itself could leave the impression that the threshold for hiring DPOs is higher that WP29 suggests,” he said. However, the GDPR gives countries leeway to adopt stricter requirements than those set out in the law.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security