26 January 2018 by Toni Vitale
Data protection officers cannot act as conventional whistleblowers
For the first time in more than 20 years, this May will see a major overhaul of European data regulations, reforming rules that were set before popular use of the internet, before smartphones were invented or before digital data become a necessity in life.
Among the major changes in the General Data Protection Regulation (GDPR), which takes effect on 25 May, is the obligation for many organisations to appoint a data protection officer (DPO), which will be crucial in promoting accountability and ensuring compliance with the new laws.
GDPR will apply equally to controllers and processors who carry out processing involving the ‘regular and systematic monitoring of data subjects on a large scale’, sensitive personal data or data relating to criminal convictions and offences.
The regulation sets out the DPO’s role in detail. As well as being responsible for monitoring compliance with policies and procedures, they must also collect information to identify processing activities; inform and advise the controller or processor; and make recommendations.
Although some commentators have likened the role to an ‘independent whistleblower’, because of their duty to report breaches to regulators like the UK’s Information Commissioner’s Office (ICO), it does not follow that a DPO will always be prepared to blow the whistle as soon as a company falls a fraction short of compliance.
The role does carry the task of handling data breaches and the obligation to notify regulators and data subjects, and a DPO must be consulted in the event of a breach, but the position is much broader than this.
A DPO must implement systems and controls for compliance with data protection laws designed to prevent breaches, and should report to the highest level of management without being otherwise supervised on data protection matters.
This does not mean their advice always must be followed – ask any head of legal or head of compliance whether their advice is ‘challenged’ or ‘debated’. Yet it is this seniority, autonomy and independence that leads to the ‘whistleblower’ criticism.
“The reality is that DPOs have no interest in whistleblowing and would rather fix a potential data breach before it happens”
In practice, the role carries with it the obligation to try to prevent breaches and reporting a breach to the ICO is tantamount to the DPO confessing their own systems and controls have failed, even though they have no personal liability.
In its recent guidance, the Article 29 Working Party, the central advisory body on such EU data protection regulations, stressed how vested the DPO role is in preventing breaches rather than just reporting them.
Confidential communication to the DPO is essential for the role to function, and so the idea that the officer might act as a whistleblower is absurd. It would be counter-productive for them to act in a way that would undermine the staff’s trust, which would cut off their source of information, leaving them isolated and unable to do their job.
The fact that DPOs should not receive any supervision on data protection issues within companies may also be the root of some of the whistleblower criticism.
Such a position gives the impression they answer to nobody. The reality is that they have no interest in whistleblowing and would rather fix a potential data breach before it happens than report it afterwards.
The fact that reporting breaches is just one of a multitude of aspects of their role must also be considered. A DPO’s duties also include informing and advising the organisation and its employees of their obligations under GDPR and data protection laws, raising awareness among staff of these laws, and providing relevant training.
Additionally, the DPO must carry out data protection impact assessments and data protection-related audits, implement principles of privacy by design and by default, and maintain internal records of data processing activities.
The officer is also the point of contact for individuals on issues over the processing of their personal data or exercising their rights under GDPR. They cooperate with supervisory authority on processing issues and consult on other suitable matters.
A DPO should participate in regular managerial meetings and be present when decisions with data protection implications are taken. Also, importantly, they are bound by secrecy concerning the performance of their tasks.
The variety of tasks carried out by the DPO shows their role is not independent whistleblowing. Their position should not be seen negatively; the introduction of the GDPR will promote accountability, enhancing the trustworthiness of data processing within organisations.
Further information on the role of the DPO is available on the Winckworth Sherwood website.