Has ever such a regulatory role been so talked about in the journals and LinkedIn’s of this world, deconstructed, reconstructed, interpreted, mis-interpreted, criticised and even praised!  Confused by Working Parties, consultants and dare I say, even lawyers.  A person defined by Articles 32, 33, 34, interacting with 46, responsible[G1] , without conflict and in honest heart, for every article in the 65 that constitutes Directive (EU) 2016/680. The psychology of such a role is itself interesting and worthy of a separate discussion[1].  This role is clearly non-technical yet it is inescapable that bits and bytes [G2] are involved such is the modern organisation – what a role!

Taking a broad view, suppliers do not seem to understand the DPO is the honest broker in the deal, not someone buying their technological wares. Legal advice has understandably leaned towards the deterministic, seeking to anticipate the nuances of every situation. Of course, if a national authority investigates you they will check every box was ticked, yet weigh up the chances of that against the cost of maintaining such a perfect GDPR regime.  That’s why it’s easier for the larger and harder for the smaller to meet their commitments under such catch-all legislation. Even larger organisations expressed concerns as a twist on an old quotation “data, data everywhere and not a derogation to help (much[2])!”.  The manifest perception is we have data about our data, data about data-subject -requests, forms about data-breaches, and data about data we must keep (or maybe delete!).

As a compliance services provider, I am being transparent here, we have talked to a lot of organisations about their desired approach and budgets.  For most purposes, GDPR was considered ‘important but not urgent’, and now after the 25th [G3] that attitude remains the same – no change.  As for spending to become compliant and avoid those fines, or at least the worst of those fines, rock bottom spending remains the common factor. Only where reputation, risk or contractual terms were important did it move budget and timescale considerations. According to a survey of 150 UK SMEs[3] over half (53%) consider reputation damage as their biggest concern around GDPR, with a mere 17% concerned about large fines.  Overall, minimal spend and reputation protection are the dominant market characteristics for the SME and Mid-Tier privacy regime.

For SME this is especially true, cash saved today far outweighs the risks of major costs incurred tomorrow if investigated or should data-subjects seek legal redress[4]. Many national authorities reinforced this attitude by stating little intent to pursue non-compliant smaller organisations, provided they could demonstrate moves towards compliance – just appointing a DPO seemed to be enough.  Not exactly a period of grace, though it amounts to the same thing, this year’s end is my guesstimate for the net closing, a fresh hard start in 2019.

Almost all we read is understandably from a legal perspective, no doubt this is highly important as it’s credible[G4] .  The role of the DPO is critical to compliance and operating practice – it’s a key credibility bringing a safe pair of hands! Then what happens when the legal adviser says ‘You don’t need one’, and the CEO says ‘I want one’ as a clear indication to customers and others that we take this seriously – the authorities really don’t matter in this sort of conversation. Clause 63 describes the role, its attributes and the balance of experience expected, stating plainly “Such data protection officers should be in a position to perform their duties and tasks in an independent manner in accordance with Member State law”. 

The reality is it’s straightforward for a larger organisation to resource this role, they recruit someone and it’s an additional cost, or an enlarged fixed overhead on the current budget. Yet for middle sized and SME organisations this extra employee is a cost too far. 

There have been a handful of publications talking about a permanent external consultant, retained to be familiar with the organisation, to advise when data privacy matters arise.  Yet this does not, in my experience, give the much-needed trust and consistency the Regulations seek, and that managers in SME and Mid-Tier organisations need. This is a simple need for someone to take their DPA problem away – permanently.

“(63)      A data protection officer may be appointed jointly by several controllers, taking into account their organisational structure and size, for example in the case of shared resources in central units.”

For us the development of thinking here was around an Independent Data Protection Officer (IDPO) service, tested from early customer projects. What was wanted was a shared service across many customers bringing economies of scale to the SME, plus true independence, with an assurance to the authorities that an IDPO makes sure all is ‘honest, truthful, legal and decent’. The use of technology to handle gaining compliance and record keeping is a major bonus and the IDPO has its own reputation to uphold, so any corners cut will be reasoned and balanced in context.   So far, no national authority has rejected our taking on this role, and our customers know we will assist in all circumstances; from handling subject access requests, to updating their notices and policies as experience necessitates. As far as we are aware, only one consultancy has talked of an external DPO role in more than abstract terms.

Where else is there experience of doing this? Monsieur Xavier Leclerc in France formed an external ‘mutualised’ DPO role for the Notaires[G5]  d’France, by agreement with the French authority CNIL[5]. In practical terms their professional body became the data protection officer for all notaries[G6] , with costs apportioned according to practice size – small, medium and large.  That it is mutualised fits with the culture of French professionals and appears to have worked well for the last few years. This is the only working example of an Independent Data Protection officer service found. It has distinct advantages in that DPO costs are balanced across all notaries[G7] , bringing consistency and a slightly easier life for CNIL as an authority. However, any industry body would find it hard, perhaps politically or statutorily impossible, to cut adrift those who flout the rules.

Ultimately, we must acknowledge there is no such thing as absolute independence when payments and corporate people pressures are involved. It’s all an exercise of balance at the end of the day, yet the benefits to SME and Mid-Tiers and the authorities, are strong enough to establish the IDPO as a valid contributor to ticking those boxes as well as pursuing those aspirational, ethical and moral intentions of GDPR. GDPR is clearly a political vehicle in that it signals internationally that the citizen has rights and those right are tangible and enforceable. Might the IDPO become a balancing mechanism in supervisory authorities getting overzealous [G8] with enforcement, as we have seen previously on a few occasions in regulated environments. Will the ‘dawn raid’ become the weapon of choice by authorities if fines are no deterrent in the future?

Extending the DPO to become an IDPO.  That person could [G9] be either a physical person, professional body, or legitimately formed business trained in data protection and related law, with practical commercial expertise and a duty to acquire expert knowledge in that field. Services would be provided on a retained basis with capacity to flex resources according to a customers’ commitments from time-to-time. An IDPO would be able to act for many controllers, processors or data supply chains. That service provider should help the controller and their employees or contractors processing personal data by informing and advising them on their relevant data protection obligations. Such data protection officers should be able to perform their duties and tasks in an independent manner in accordance with Member State law and be recognised professionally as competent[6] in doing so.

In sales terms, the Features, Benefits and Advantages of an IDPO service would be specific to how each service provider operated. A solo-artist would have a different scope compared with a major law firm or from a more outsourced approach.

First published and Copyright in 2018.

[1] A discussion of Hustlers, Politicians, Movers, Engineers, Artists, Double-Checkers and Normals.

[2] “The Rime of the Ancient Mariner,” by Samuel Taylor Coleridge

[3] CRM systems integrator SeeLogic, May 2018

[4] No signs of ambulance chasing so far

[5]Commission Nationale de L’informatique et des Libertés (CNIL)

[6] In the UK as United Kingdom Accreditation Service (UKAS) or in France, AFNOR, as examples.

 [G1]Not sure of this grammar, this sentence doesn’t read easily. Shoudl it be ‘Can a person, defined by Articles….., interacting with …., in fact be……’?

 [G2]Maybe you’re playing with teh technical jargon, but I think (can’t verify it online right now) that the expression is bits and bites.  Not sure.

 [G3]Is this something people will know about?  A known term/expression?

 [G4]May read easier as ‘no doubt it’s as highly important as it’s credible’.

 [G5]Could say ‘Les Notaires Francais’ or translate fully to French Notaries



 [G8]I think this is one word

 [G9]I see that a quotation starts here but it’s not clear where it ends.

Leave a Reply