On 30 April 2019, Squire Patton Boggs and the Digital Policy Alliance held an event entitled “Data Governance Under the GDPR: Are DPOs the Best Solution?” The aim of the session was to explore different approaches to the management of tasks involved in data governance, data protection and compliance, and the advantages and disadvantages of having a Data Protection Officer (‘DPO’). Following a scene-setting overview provided by Matthew Kirk, Senior Advisor at SPB, the discussion was led by Lord Erroll (Chairman of the Digital Policy Alliance). Jonathan Bamford (Director of Strategic Policy (Domestic) at the ICO) gave the key-note address and then joined the panel alongside Annette Demmel (Partner – Squire Patton Boggs) and Carol Tullo, OBE (Senior Associate and Legal Counsel – The Trust Bridge).
The changing role of a DPO was acknowledged by the participants. Far from having the additional responsibilities tacked onto the end of an individual’s existing role, DPOs are becoming a fully-fledged profession in a post-GDPR world.
The event participants were reminded by the ICO of the guidelines available online aimed at helping organisations determine whether a DPO is required. The participants discussed that some organisations may not be required under the GDPR (or national implementing legislation) to appoint a DPO, but may wish to do so on a voluntary basis (and give them a different title accordingly). A voluntary appointment can be seen as a useful accountability measure and demonstrate that the organisation brings privacy to the heart of its business.
The discussions also included consideration of external DPOs and how they could present a useful resource for a company. Whilst it may be preferable to have an internal DPO, who has a good understanding of the culture and policies of the organisation, smaller organisations may have no additional capacity for such a role, in which case the external DPO role might work better. There was some discussion as to whether external DPOs would understand the culture of the business, and in this respect participants felt that DPOs should establish contacts in each department of the business to bridge any gap.
Where a DPO would sit in an organisation turned out to vary from business to business. However, it was deemed important that a DPO should not be compartmentalised within one part of the organisation. They must be able to maintain independence and advise the business without having their position compromised.
The DPO may be seen as an enabler in the business, especially in privacy by design – which ensures “built-in, not bolt on” data protection measures. Training and awareness was also seen an important job of the DPO. What participants agreed on was that the responsibility for good data governance, ultimately rests with the highest levels of the organisation rather than with the DPO, who has an advisory role.
Participants expressed an interest in holding further events where GDPR-related issues could be discussed in a similar interactive manner.