The General Data Protection Regulation changes the role of the data protection officer (DPO) in companies and government agencies: They are acting more at eye level with the management and the technical departments. This requires strong leadership skills and a particular style of leading: technical guidance without disciplinary authority.
The word “leadership” describes the ability to influence people in a way that makes them achieve defined goals.
Even though the technical and disciplinary leadership position are usually held by the same person, this is not always the case, e.g. when taking a project-oriented approach.
Data protection as a management and leadership task
Art. 39 of the General Data Protection Regulation (GDPR) specifically describes the technical leadership of the data protection officers, not their disciplinary authority. The overall responsibility for data protection remains completely at the management level (Art. 5 par. 2 in conjunction with Art. 24 par. 1 GDPR).
The data protection officer of Hesse describes the key tasks of the data protection officers as follows:
- They educate and advise.
- They monitor data processing for compliance with regulations.
- They ensure that employees who process personal data are aware of their responsibility and properly trained.
- They support the controller with performing data protection impact assessments.
- They collaborate with the responsible supervisory authority.
Controllers are free to add additional tasks to these mandatory ones.
Required leadership abilities
Even if the mandatory tasks can be fulfilled without management responsibility, they still require good leadership characteristics like
- role-model behaviour,
- communication skills,
- a sense of responsibility,
- self-confident manner,
- methodical approach,
- tolerance for errors and
- team leadership skills.
On the technical side, merely having profound legal and IT knowledge is not enough. The ability to formulate reasonable technical objectives, to delegate tasks by competence, to coordinate activities and to control the information flow is also required.
In addition, high social competence is required to improve motivation, create transparency, use synergies, and avoid friction and unnecessary loops.
This includes delegating tasks, treating everybody equally, reporting praise and criticism and deal with conflicts in a constructive manner. All this – not only concerning the data protection officer – ideally comes with a good measure of self awareness and capacity for self-criticism.
Integration of data protection management
DPOs who focus on an advisory and monitoring role may be employed part-time, i.e. with limited time and financial resources. The prerequisite is that there are no conflicts of interest (Art. 38 par. 6 GDPR).
However, even where data protection officers work full time, it is important that data protection management is integrated into the operational and organisational structure and does not form a shadow organisation. In larger units, data protection coordinators perform the routine tasks in the technical departments. Only the more complex questions are forwarded to the data protection officer.
It is therefore indispensable to delegate responsibilities within the controller’s organisation. The data protection officer is the central coordinator for this process.
Staff function instead of lone fighters: redefining the role of DPOs
| At the latest with the GDPR , the idea of the DPO as a lone fighter is a thing of the past. It is time to redefine the role of the data protection officer.
The data protection officers hold a staff position within the controller’s organisation, i.e. they are technically independent, report directly to the highest management level (Art. 38 par. 3 GDPR), with access authorisation to information, including confidential information (Art. 38, par. 5 GDPR, in conjunction with § 203 of the German Penal Code (StGB)).
To provide DPOs with the authority and the independence from directives, they should report directly to the highest management level. Within the controller’s organisation, data protection officers act as “representatives of the data subjects” (GDPR practical guidelines I by GDD, p. 8). They are the ones who consider – and may be the only ones who consider – the risks for the rights of the data subjects associated with the processing of personal data (Art. 39 par. 2, GDPR).
In order to fulfil their information and consultation tasks, DPOs always need to be involved early in all new developments and questions relevant to data protection. In addition, they need all the required resources and information (Art. 38 par. 1, 2 GDPR). This requires suitable processes and guidelines.
In practice, DPOs are frequently involved too late. This may result in delay when introducing new systems and higher project costs.
From May 2018, any violation of the principles of Privacy by Design and Privacy by Default may result in a significant loss of trust on part of those affected, in fines imposed by supervisory authorities and in cease and desist letters from the competition.
Data protection as a management task
The initial impulse for effective data protection management is a clearly defined management task. The GDPR clearly relies on a management system as an instrument to implement data protection requirements.
This “data protection management system” can be run independently or be integrated in other management systems, e.g. compliance management.
- Data protection officers in the public and private sector under the new law. Guideline by the data protection officer of Hesse, June 2017
- The data protection officer under the General Data Protection Regulation: GDD practical guideline on the GDPR I., November 2016
The management tasks of the DPO are not characterised by their disciplinary responsibility, but rather by their provision of advice and technical guidance to those who contribute to data protection. The fact that DPOs report directly to the top management provides the role with the authority required to fulfil its tasks.
It is essential to integrate data protection management into the structure and the processes of the controller. This is achieved by appointing people in charge of the processes and by training data protection coordinators.
Especially the collaboration with data protection coordinators requires significant leadership skills on the part of the data protection officers.
Markus Schäffter holds a PhD in mathematics and a professorship for data protection and information security at the University of Ulm.