There are two reasons why you may appoint a DPO; firstly, because the GDPR says you need one, and secondly, because you don’t need one, but you want one. I’m not going to talk about the regulatory requirements for a DPO, as there are plenty of blog posts around already. Instead, I’m going to talk about the situations when you may want a DPO without legally needing one.
To start with, I have to be clear that if you voluntarily create the role of DPO in your organisation, then that individual still has to still carry out the duties and responsibilities mandated by the GDPR (Article 37 for those that want to look it up). You can’t just ask Freddie in the marketing department to be your DPO because a client wants you to have one. Your DPO must have “expert knowledge of data protection law and practices” and they cannot have a conflict of interest with their existing role. For example, they cannot be the person who is responsible for making decisions about the processing of personal data and oversee the compliance of that processing. In 2020, a Belgian company was fined 50,000 EUR by the Data Protection Authority for appointing their Head of Audit, Risk and Compliant to the role of DPO. An expensive conflict of interest.
So, when might you be in a position of wanting a DPO but not officially needing to appoint one? I generally see this falling into 5 scenarios:
- You genuinely do care about your customers/users
- You want to ensure you are complying with other aspects of the GDPR
- You think that having a DPO will give you a competitive edge
- You know you will need one at a later date so it makes sense to get one sooner rather than later
- You are a start-up looking for funding or have an upcoming exit strategy
Because you care
Maybe I am very cynical, but if I am approached to be a DPO for a client who cites the first reason only, I know it’s going to be a tough gig, and I would likely decline. Businesses exist for one reason, and one reason only: to make money. The GDPR is a risk-based approach and there will always be a trade-off between cost and risk. If your starting point when appointing a DPO is the data subject then that is very admirable, but the chances are you haven’t thought this through. The result will be a DPO who misunderstands your risk appetite and will likely recommend a Tesla level of compliance when a Ford Fiesta will do a good enough job for you. Don’t get me wrong, you need to care about your customers/users but usually in combination with one of the other scenarios. Compliance is just one part of your overall strategy.
Wanting to comply… and sooner rather than later
My favourite clients are those that are looking for a DPO because of the second scenario: wanting to comply. These businesses are the ones who tend to be the most practical, pragmatic and have thought through their risk appetite. They realise that the GDPR is complex and that they need someone independent to oversee the work that they are doing and keep them on the straight and narrow. They tend to be the ones that realise that the DPO is there to protect them. They are also the ones who fall into the fourth scenario at some point as well; they know they want to comply, don’t fulfil the legal need for a DPO yet, but if they get this right, then the expected growth will move them into the situation of requiring a DPO. It is better to have one earlier as unpicking years of bad practise and digging up the buried bodies of years gone by is a painful process for both the DPO and the company as a whole.
The third and the fifth scenarios are what I call the “tick boxes”. Taking on a DPO just because all your tenders or RFPs ask if you have one is not a good reason. Instead, you need to wonder why clients expect you to have one. It should be a prompt for you to look at your processing activities and wonder if you should have had one as per the regulations in the first place. If a company does need a DPO and only realises it because their customers are telling them they need one, then the role of the DPO is an uphill struggle from day one.
Start-ups and exits
However, I really enjoy the other tick box ones; the start-ups going for a funding round or an exit strategy. The funding round companies are those that realise that in order to grow, they have to become compliant. They may have started off as a tick box, but if we look at what I said earlier – about a business existing to make money – suddenly you see a direct link between compliance and financial health. It’s the only scenario where that link is so explicit. A DPO in this scenario has a willing team, ready to get their house in order and grateful for the role that is being fulfilled.
Exit strategy DPOs are slightly different. These tend to be timebound engagements. As with investors, the due diligence lawyers expect a DPO to be in place (even if the regulation says no!). They also expect a certain level of compliance or at least a project plan in place that the DPO has overseen to help the purchasing entity understand the risk involved in the acquisition. For the DPO, this is a very satisfying role. More often than not, you come into a company where data protection has not been a part of their growth strategy thus far, and you have the chance to create order from chaos. You also know, however, that when the acquisition happens, the acquiring company probably already has a DPO, and group policies and processes, and training plans, and just about everything you are doing will be replaced. Once you have done a few of these, you also get to realise exactly what it is that the due diligence lawyers are looking for and what they are not looking for, so your work is prioritised in a very different way than it would be for a long-term business-as-usual role. It’s definitely better suited to the pragmatic DPO, who recognises that sometimes business strategy is the only driving force.
Understand your drivers
Ultimately, businesses and DPOs need to remember that when a DPO is appointed outside of the regulated need, it is important that they both understand the drivers behind the appointment. The business and the DPO must be in synch as to what the business strategy is, what the priorities are, and take time to set out the risk appetite of the business. It may also be that the appointment is not a long-term engagement. Whilst a DPO cannot be dismissed for carrying out their duties, if a DPO is not required then the role may easily become redundant as business priorities change. That is not always a bad thing. I have stepped out of a DPO role because I didn’t feel it was appropriate following a change in a client’s business and market strategy.
Where a DPO is required by law, the role can be pretty secure and long term. If the DPO is wanted rather than required, then the role in this circumstance can be a veritable Nanny McPhee:
“When you need me, but do not want me, then I must stay. When you want me, but no longer need me, then I have to go.”
This is the first in a 3-part series by guest contributor and DPO consultant Tash Whitaker. If you want to get the upcoming posts straight in your inbox, sign up using our newsletter form below.