Skip to main content

DPOs as independent agents – the better way forward for GDPR compliance?

(Image credit: Image source: Shutterstock/Wright Studio)

A data protection officer (DPO) has become a mandatory role in many organisations and is a role that requires total autonomy. Since the enactment of the EU General Data Protection Regulation (GDPR) two years ago, data protection has become a priority for many organisations.

Meanwhile, data collection and analysis, in particular personally identifiable information covered by the GDPR, is the driving force behind many thriving high tech companies. With increased reliance on data for decision making and advertising, comes the increased risk of non-compliance with regulations. To make this complex process smoother for organisations that control or process large amounts of personal data, we suggest sourcing independent DPOs.

The importance of independence

To succeed in their role, DPOs require autonomy and must act independently of corporate hierarchies. Through total autonomy, DPOs can conduct their duties without interference from internal parties. Acting independently, the DPO should report to the highest level of management in any organisation to ensure that the right department receives timely advice on all data protection issues.

A DPO must not be put in a position that may lead to a conflict of interest.  Likewise, DPOs should not have the responsibility of deciding how and why data is processed, as this would blur the lines of accountability.

For these reasons, an independent DPO is more likely to strike a balance between the competing interests of the organisation, regulatory authorities and data subjects. Given the importance of this role, it is essential that the DPO adequately responds to the needs of each stakeholder and meets their obligations toward all parties. 

How to achieve DPO independence in 2020

The role of a DPO includes advising on data protection impact assessments (DPIAs), training, overseeing the accuracy of data mapping and responding to data subject access requests (DSAR). These are fundamental legal obligations required by all organisations covered under the GDPR, and a capable DPO is the lynchpin of a successful data protection programme.

In order to achieve adequate independence, the DPO must be given the necessary resources, which include adequate budget, equipment and staff. However, specific needs will vary greatly between different companies and may even fluctuate at certain times of the year. At HewardMills, we frequently work with organisations covering numerous jurisdictions. Over the years, we have realised that there is a gap in the market for external DPOs with a wide range of capabilities, including technical, legal, business and linguistic knowledge. With new regulations and updated laws coming into effect across the globe, organisations need an adaptable and diverse DPO.

It is important that organisations controlling or processing personal data, embrace and empower their DPO not only to meet their legal obligations but also to create trust with data subjects. Even though at times it may feel that working with the DPO adds to the long list of daily tasks. It is essential to understand that in the end a successful work relationship with the DPO leads to better ethical standards for data protection.

Furthermore, legal obligations and data subjects’ rights are not optional. Ultimately, any DPO resource – outsourced or internal – ensures data controllers are informed about risks relating to different processing activities. For instance, our team flags data protection audits, the need for enhanced security measures, or gaps in staff training and resource allocations. One of the main tasks of a DPO is to help organisations identify and prioritise risks. For this reason, companies of all sizes are embracing DPO specialists, especially outsourced ones, to achieve compliance in a cost-effective manner.

Peace of mind through an autonomous partner

At the core of the DPO role in an organisation is to work independently and ethically. For this reason, European lawmakers created a built-in job security for the role of the DPO. Naturally, a DPO can be disciplined or terminated for legitimate reasons but they cannot be dismissed or penalised for correctly fulfilling their duties.

This is why external DPOs have become a popular option for many organisations. Conflicts of interest are less likely to occur with a truly independent DPO who sits outside the organisational structure. Used correctly, the DPO is a partner that helps navigate the organisation toward the ethical handling of personal data.

Gaining a competitive edge with robust compliance 

Data protection processes do not stop at meeting the basic legal requirements. Practical knowledge on how to efficiently manage these legal obligations and empowering the rest of the organisation to act in a fully compliant manner is key to success.

Investing in data protection and privacy will win the trust of all stakeholders, including customers and employees. Organisations that foster a positive data compliance culture are at a competitive advantage in a world where privacy and data protection matter more than ever. For those that do not, the financial, legal and public opinion risks can be significant.

Dyann Heward-Mills, HewardMills