Why a lawyer shouldn’t be a Data Protection Officer
The EU General Data Protection Regulation (‘the GDPR’) is the biggest change to data protection legislation for Europe in the past 20 years. Many organisations are now in a position that they require a Data Protection Officer.
Under the GDPR a wide range of organisations will be forced to hire a Data Protection Offier (‘DPO’) to help with data protection compliance. compliance. At the bare bones level the DPO is mandated by law to:
- inform your organisation of its GDPR obligations and to provide relevant advice
- monitor compliance with the GDPR, other data protection laws and to see staff have the right responsibilities and are appropriately trained
- to audit data protection compliance
- be the contact point for your customers and staff for data protection matters
- cooperate with the data protection authorities that operate across the EU
However, there is a lot more to the DPO role, as we shall see later, which is why a whole set of non-legal skills are essential.
Demand for DPOs is growing rapidly
Data Protection Officers are not only needed in big companies – where they may be mandated by law – but in small and medium sized organisations , especially as they try to get to grips with complying to the regulation and its new obligations. With the violation of rules regarding DPOs incurring a potential fine of up to €10 million or 2% of annual global turnover (whichever is the greater), companies are desperately vying to get one.
It is estimated that over 70,000 new Data Protection Officers are now required worldwide to cope with the GDPR, however, when examining just how many scenarios and sectors require are mandated to have a DPO, this prediction looks very low.
Some law firms, keen to extend their billable hours beyond their core areas of competence are trying to positions themselves as Data Protection Officer for companies. If you have ever engaged the services of a lawyer you will know that the legal industry has specialisations. So, the vast majority of law firms will not truly be familiar with data protection law and how it applies.
It may surprise you to know that some of the biggest law firms brought in external data protection consultants to help with their own GDPR transition, because of the specialist knowledge required. If you then put to one side the generalist commercial law firms you are left with a handful of firms that genuinely specialise in data protection law. Whilst they will meet the requirement to have an ‘expert knowledge of data protection law’, we ask ‘Is that enough to be a DPO under the GDPR?’
Knowing WHY and HOW to comply with the GDPR
There is a fundamental difference between understanding why a legal rule applies and how to make that an operational reality in an organisation. In contrast to a lawyer, professional DPOs must understand both what the law requires, and how to implement compliance to that law in an operational sense. In practice this means helping a business to close its GDPR gaps on in every function, at every level, across people, process and technology dimension. As such, they will have to understand not only how each function operates, but how to communicate with each them, and how to implement a data protection programme in a way that make sense for that organisation and its operating model.
Let’s take the requirement for a data controller to provide instructions to a data processor (typically an outsourced service provider) before they can process personal data. There are several key roles and responsibilities here. When DPO Experts works with a client as their external Data Protection Officer we will typically:
- identify the compliance risks
- determine the key risk controls required
- dovetail this with the data protection risk strategy that we created
- provide guidance on supplier due diligence, particularly for information security
- ensure that the documented instructions captured all the operational and compliance requirements
- provide advice on changes to the processes and procedures in order to be compliant
- monitor those supplier relationships in respect of GDPR performance
- undertake inspections or audit the processors
None of these tasks are the work of a lawyer. GDPR compliance is about changes in the way the business thinks and acts. This starts with the board and permeates your organisation’s operations looking at the data you process, why that data is processed, your business processes, procedures, IT systems, information security, people’s behaviours, supplier relationships, customer service, marketing, monitoring, auditing and so on.
DPO must be multi-disciplined
Depending on the complexity of the client’s circumstances and needs it may be necessary to use functional specialists to support us as when acting as the external Data Protection Officer. For example, the GDPR requires organisations to have documented instructions between data controllers and data processors, the latter typically being an outsourced service provider. In this situation the DPO will be able to advise on how to produce those instructions in the light of the operational context, processes and procedures. However, where complex legal relationships exist in the background then the lawyer in our team will be able to assist in aligning the data protection needs with the overall commercial relationship.
Another example of where we draw from a mix of functional experts is with IT security. Again, in many instances the DPO will be able to guide the organisation to getting its IT security under control. Yet some organisations, which have high data protection risks and perhaps have an online business model, may benefit from a deep dive conducted by our IT security experts. When the data controller outsources the processing of high risk data to a supplier then supplier due diligence around information security may also be appropriate. For this we assign our IT security colleagues to assist.
For most of our clients, when we supply a Data Protection Officer as a Service, the allocated DPO will be able to provide the advice, guidance and support to address their data protection risks. Where clients have more complex requirements they may require a virtual Data Protection team, which is when we draw on the specialist knowledge of our legal and IT colleagues.
The majority of our clients also require technical changes implementing for GDPR compliance. This requires an in-depth understanding of the technological landscape, best practice in information security, approaches to encryption, anonymisation, pseudonymisation and information security controls. The professional DPO not only understands these technical concepts but will also understand how these relate to other organisational measures across the people and process dimensions. Lawyers do not have the expertise or experience in planning or implementing such organisational and technological transformation.
You don’t need to be a lawyer to understand the law
It is also important to understand that you don’t necessarily need a lawyer to understand the law. A LinkedIn search of staff at the Information Commissioner’s Office (ICO) – the body regulating the GDPR in the UK – revealed that only a tiny percentage of staff studied law or are lawyers.
Emma Butler, a 7-year senior veteran of the ICO and now DPO at Yoti said:
“A DPO needs to know not just what the law says, but what it means, and how it applies to the business in question and its activities. I strongly believe that you don’t have to be a lawyer to understand a piece of law.”
So, what do the lawyers say on this? Well, as legal firm and Parliamentary agents Sharpe Pritchard puts it, when looking for a DPO
“You should look for a DPO with operational experience who has the ability to foster a positive data protection culture with the organisation, whilst also helping to partition responsibility for data processing, deal with data subject rights, ensure that records of processing are kept and that security of personal data is maintained.”
We cannot overstate how essential it is to have a expertise and experience in business operations and project management. At DPO Experts we have responsibility to implement changes across the whole company, across all its functions , using project and people change methods. Our expertise comes from tens of thousands of hours hands-on experience in leading regulatory transformation for some of the world’s most well-known brands such as BUPA, Barclays, HSBC, Jaguar Land Rover and Nationwide Building Society.
Large enterprises are typically where a Data Protection Officer may be employed full-time, mainly due to a company’s high data protection risks and the cost of employing this type of role. Where a company has decided to use an in-house lawyer as a DPO it would have seemed advantageous due to their existing understanding of the company and it’s always convenient to hire from the inside.
So, let’s imagine that you have a lawyer who is a data protection specialist, is a regulatory compliance expert, has years of hands-on business change experience, can define and lead change across people and process change, is a technologically savvy and a board room level operator – is their function as a lawyer going to compromise their role as a DPO?
Conflict of Interest
The GDPR prohibits anyone carrying out the tasks and duties of a DPO from having any conflict of interests. In large organisations, the DPO role normally sits in the Governance, Risk and Compliance (GRC) function rather than the legal department. This is because the lawyers have a duty to put the interests of their employer or client first, above the interests of the data subjects. By contrast, the DPO is required to put the interests of the data subjects first. Therefore, any lawyer assigned to a DPO will have a fundamental conflict of interest if s/he takes on the DPO role, which is illegal under the GDPR.
Even if an external law firm was used the same principle applies: you would not expect that firm to act for both adversaries in a dispute. In this situation if the law firm was acting a DPO in the best interests of the data subjects then how would they also act in the best interests of your organisation at the same time?
Germany has long required companies to have a DPO and we can draw on their experience in this area. The Bavarian Data Protection Authority takes the position that ‘members of the legal department may in certain cases have a conflict of interest which disqualifies those individuals from acting as a DPO’. This is backed up from the law firm Baker McKenzie, which notes that ‘if the legal counsel may represent the company in legal proceedings (especially with regard to legal actions against employees or customers, which many include data privacy related aspects), the legal counsel is subject to a conflict of interest and, therefore, not independent.’
It’s simply not practical or sensible to expect your in-house lawyer or law firm to act on your company’s behalf but simultaneously act on your data subjects’ behalf, who may have diametrically opposed objectives.
An example of this flashpoint would be when the data subject makes a confidential approach to the Data Protection Officer to act in their best interests and perhaps make a compensation claim. If an organisation assigned a lawyer into the role of a DPO, how could they possibly act independently and without a conflict in this situation? Would an external law firm really go up against the company that pays its bills and fight for the data subject’s rights instead?
To sum up, before the jury deliberates
Robert Bond, a partner at Bristows LLP, declared that:
“The DPO also being the in-house lawyer doesn’t work, It can be someone with legal understanding, but they also need all the other requirements to cover information security, communication, and to understand the marketing and advertising side. It’s an extraordinary job to take on as DPO.”
The fact that two well-respected law firms are warning against using lawyers as DPOs should say enough. Of course, neither they – nor us – are negating the importance of legal knowledge when it comes to being a Data Protection Officer. That’s why our Data Protection Officers have undertaken very specific training from privacy and data protection lawyers, even those involved in drafting the GDPR. However, as the DPO role is so broad in its responsibilities and requires so much practical knowledge of how an organisation operates, its various functions, and the methods for managing a GDPR project, the narrow focus of a lawyer isn’t enough.
To reiterate, the most important quality a DPO’s must have, is not only an understanding of why they need to apply it, but how to apply it.
How can we help you?
Get in touch and find out how we can help you achieve your goals