Like a lot of people, I don't like going to the dentist. It's a chore, and (no doubt because I put it off) there always seems to be something painful or unpleasant involved when I do go. What has this got to do with data protection? Read on...
There is a welcome amount of continuing discussion going on about the appointment of data protection officers (DPOs) in organisations. Some are having to think about it as part of their Brexit contingency planning. Others, frankly, are only just focusing on GDPR compliance. For many organisations, the realisation of the need to appoint a DPO comes from a breach or a near miss, or as a consequence of losing business because they cannot demonstrate full compliance with the GDPR.
All of these are good reasons to be thinking about appointing a DPO, and the article linked below has some good guidance about some of the things that ought to be considered when making the appointment. But I must just sound a word of warning. DPO's are at their most effective when they are an integral part of the business, and in that context the use of terms like "poacher and gamekeeper" is probably unhelpful.
I know a number of DPO's who experience the frustration of being seen as "the enemy" within their organisation. This has a number of consequences. Those who are developing initiatives that touch data will often leave the DPO out of the loop, fearing that they will be told that they can't do what they want to, or resenting the extra layer of scrutiny which will be involved in getting their project cleared. At its worst, this leads to businesses deploying new software or implementing processes which are not provided for in their privacy notices or policies, without the DPO having any input into how those have been developed. there must also be the risk that such a dynamic would put pressure on the DPO to scale back their recommendations or scrutiny, in order to ingratiate themselves with their colleagues.
Over recent years, there has been a growing awareness of the risks around shadow IT, where individuals bring their own devices or applications into the IT ecosystem of the business. In the same way, a failure to see the DPO as an integral part of the business, at every stage, poses real risks for that business's compliance. It is almost invariably a part of a broader failure to embrace a culture of privacy by design, and the jeopardy that flows from that can be a good deal more discomforting than a half hour in the dentist's chair.
You can’t be both a poacher and gamekeeper. In the real world, this means that an IT Manager, IT Director, CTO or Security Manager are highly unlikely to be able to also be a DPO. Additionally, you may find other positions that represent a conflict, such as a Marketing Manager. Be wary of these conflicts. The DPO role is fundamentally about governance and compliance. In turn, this sits naturally with legal and Security Governance teams. Larger organisations will have an in-house counsel (lawyer) who could be a DPO. They may also have a separation of operational IT Security and Security Governance teams. This separation usually results in the Governance function sitting outside of IT, which removes the conflict of interest for a DPO.