DPO – More Than Just A Title

Written by David Holmes

Lovely Jubilee Podcast

More than just a title

You may have seen that recent data protection reforms were included in the Queen’s Speech, at the state opening of Parliament, on the 10 May 2022. The State Opening of Parliament highlights the start of the 2022-23 session of Parliament, with the Queen’s Speech, written by the government, outlining the government’s policies and proposed legislation for the coming year.

In this year’s speech, the Data Reform Bill was proposed as part of a range of reforms to capitalise on the UK’s independent status, free itself from the shackles of EU laws and leverage existing strengths and progressive values held by the UK to operate an agile, pro-growth and innovation-friendly regime.

Away from the political bluster, spin, sound bites and attention-grabbing statements there is a serious side to what these reforms may include and how they may impact the UK’s approach to data protection, EU adequacy and future trade with the EU.

I’m sure all seasoned data protection professionals have read, interpreted, and responded to the consultation exercise titled ‘Data: a new direction’ and I don’t intend to repeat all the details here nor to surmise on what the conclusion to the consultation process may include. I’m sure we all eagerly await the published outcome of this exercise so that we can scrutinise the details contained within.

But what I would like to do is take a moment to consider one specific element of the proposed reform that relates to the role of a Data Protection Officer (DPO). I have held the role of DPO for a range of my clients and it is one that I feel quite passionately about.

It is proposed by the government that ‘some organisations may struggle to appoint an individual with the requisite skills and who is sufficiently independent of other duties, especially in the case of smaller organisations’ and therefore the ‘current requirements do not necessarily drive the intended outcomes of the legislation. The government, therefore, proposed, as a measure, to remove the existing requirements to designate a Data Protection Officer but to place the obligation to designate a suitable individual(s) with responsibility for privacy management and overseeing compliance. On the face of it, does this not appear to be the same thing? Is this simply an exercise to change the label and not what the DPO does?

Let me explain, we all know that the DPO, pursuant to Art.37(5) UK GDPR shall be designated based on professional qualities and expert knowledge of data protection law and practices. Yet the recommendation of replacing the DPO with a suitable person would undoubtedly require that individual to have similar attributes to be effective and ensure that the organisation is compliant with its obligations under data protection legislation.

The government in part recognises that there may be a risk to removing the data protection officer role ‘if this were to weaken internal scrutiny’ but I believe that it goes further than this in that there is a risk that this will not only weaken internal scrutiny, or create opportunities for organisational bias, but fundamentally removing the data protection officer’s role may ultimately have an impact on the interpretation of the data protection legislation to the detriment of an individual’s fundamental rights.

Yet the consultation document reverts to the point that ‘organisations still need to be compliant with the data protection legislation and accountable for compliance’ and that ‘some organisations may opt to designate an individual to perform a role similar to that of a data protection officer in order to independently monitor and assess the organisation’s compliance… but that this would be in addition to the appointed ‘responsible person’.

It appears, on the face of it, that the government has failed to fully understand the role of a data protection officer and instead suggests an ill-conceived alternative that a DPO ought to be replaced by, albeit by a different name, a DPO.

Now it may just be my cynical nature or grumpy outlook on some of the recommended reforms but if the reforms were to drive the intended outcomes of the legislation, then removing someone with the ‘requisite skill’, is not the answer.

The role of a DPO is more than just a title or addressing a tick-box requirement to be compliant with data protection legislation. It may sound rather pretentious to describe the DPO as a defender of rights or privacy but that is in essence their role as well as to provide appropriate, and bias-free advice and guidance on remaining compliant with data protection legislation and all of its nuances. I hope that these attributes remain within the role and responsibilities of the ‘responsible person’.

At the end of the day, data protection is not simply about protecting or keeping ‘data’ safe. It is about protecting people, ensuring their rights are upheld, and limiting what organisations know about them, or their private lives. It is not designed to inhibit growth or block progression but to ensure that the organisation interprets and ‘plays by the rules in a fair, lawful and transparent manner.

Within the reforms relating to the DPO role, I would have liked to have seen more focus on clarifying aspects of the law (e.g. what does large scale mean when determining whether the requirement of a DPO is met, providing clarity around additional roles the DPO can undertake without being in a position of conflict or clarity around the DPO’s professional qualities and knowledge levels to make the appointment of a DPO easier to identify).

Here at DPP we strive to ensure that our services, such as the outsourced DPO function, are designed with the client in mind and operate in a flexible and agile way. We appreciate that appointing a DPO can be expensive to resource and therefore offer a cost-effective outsourced service that ensures that organisations have access to a professional, unbiased critical friend that strives to make data protection easy: easy to understand and easy to do

To conclude, as we eagerly await the published outcome from the consultation process I am left wondering whether the new direction proposed by the government is a progressive move to reform/align parts of data protection laws (and I do agree that some of the proposals do make pragmatic sense) or whether, it is a political move to rebadge what is, in essence, a decent framework, as an exercise to demonstrate that leaving the EU was a politically astute move and not a political own goal.

Written by David Holmes