Many of the newly appointed data protection officers (DPOs) appointed by businesses in order to comply with GDPR are not fit for purpose, a leading data protection lawyer has warned.
Speaking to Verdict’s sister title Verdict Encrypt, Robert Wassall, data protection lawyer and head of legal services at ThinkMarble, expressed concern at both the appointment of either existing junior employees or inadequately trained external candidates to the position.
Timeline for Breaking banks
- August 6, 2019
He argued that this relatively widespread practice was resulting in DPOs that have “non-existent expertise” on data protection, making their appointment merely a box-ticking exercise.
“I’m almost tempted to say: what are they doing?”, Wassall said of businesses making such appointments.
“Are they saying we’ve got a DPO because they want to be able to say ‘we’ve got a DPO’? But if they can’t fulfill that role, I think that they’re misleading themselves and they’re misleading anyone else who is relying on the fact that they have a DPO.”
For companies that make such appointments, Wassall argued, the results could be severe: “The most extreme obvious example is that they’re going to do something which could lead them sooner rather than later towards one of these fines that we hear so much about that the GDPR permits.”
What is a data protection officer?
A DPO is tasked with overseeing internal compliance with GDPR, keep the company updated on their data protection obligations, assist with the completion of data protection impact assessments and serve as a key contact for both the GDPR supervisory authority and people the company holds data on.
Under GDPR DPOs are not only required to be experts but act independently and report to the highest managerial level within a business, making the position extremely senior.
While not all companies are legally required to appoint a DPO, larger companies that process certain types of personal data are, and many others have opted to create the role voluntarily.
Unsurprisingly, there has been a surge in the creation of DPO positions across Europe, and particularly in the UK where the role is unusual, ahead of GDPR coming into effect on the 25 May.
Why internally appointed DPOs can be a bad idea
Many companies have sought to promote an existing employee to the position, they are typically limited to junior employees due to the fact that the position needs to be independent.
“It’s clear from the guidance that has been issued that certain people by their role in the firm cannot be a DPO, for example people who are basically at the top end of the firm, the CEO, the directors, the heads of IT, the heads of HR,” said Wassall.
3 Things That Will Change the World Today
Even if they otherwise would have the required levels of expertise, by their role in that organisation they would be disqualified in effect from being a DPO.
However, Wassall does not believe that such employees will have enough expertise to meet the demands of the position.
The likelihood is that no existing employee will have that expertise, so how are they going to acquire that in any meaningful sense? And given that they’re an existing employee, then they’ve got a job to do, so therefore how are they going to carry out the job they were employed to do and be the DPO at the same time?
It’s very difficult for me to see how any existing employee, no matter what their job title may be, is likely to be able to fulfill that role that they were originally employed to do and be the DPO.
Can GDPR practitioners be DPOs?
Increasingly, many enterprising individuals have sought to meet the demand for DPOs by becoming qualified GDPR practitioners. However, this too may result in ill-suited candidates.
In the same interview, Wassall’s colleague Andy Miles, founder and CEO of ThinkMarble, expressed concern at the suitability of such individuals.
“I council extreme caution to those who appoint a DPO or one of these recently approved GDPR practitioners who has been on a recent course and what we’ve found is there’s a number of people, for example, on LinkedIn: ‘I’m now a GDPR practitioner, I could be your DPO’. Well they can’t, because they’re not subject matter experts,” he said.
“I think a number of companies are making grave mistakes where they think they’re doing the right thing when actually they’re not.”