Who wants to be a DPO?

Although the trend is not apparent at the time of this writing, I expect to see a lot of listings for positions as DPOs (data protection officer) in the near future. If you’re being considered for such a position, I assume you are familiar with the GDPR. Suppose you have an interview and get an offer; what should you consider before accepting the job? Specifically, are you willing to risk financial liability for it? 

Legal commentator Gert Maton has noticed this issue (GDPR – The Data Protection Officer: a multitasker with great responsibility):

The personal liability in the GDPR is currently still a gray area. WP29 (the European GDPR work group, named after article 29 of the GDPR) will need to clarify this subject in the upcoming months. However, these organizations have already expressed that they would ‘not target the DPO‘, should a disaster involving Data Privacy arise. Generally, the expectation is also that the upcoming clarification will protect the DPO against personal liability and, therefore against being fired based on the advice given as DPO. (emphasis added)

At the very least I would wait for the expected clarification to be official before taking on a DPO role. As an employee, Belgian employment law may protect you (I suggest you get a written legal opinion before relying on any assumptions), but a consultant should shy away from the risk. Bear in mind that, even after leaving the position, you may still be liable for events that happen subsequently; all that is needed is for 20-20 hindsight to allege that there was something you could have done (or done better) during your tenure that would have prevented the occurrence.

It’s nice to know that, as a DPO, you won’t be “targeted”, but the ambiguous language raises the possibility that they are keeping open the possibility of holding the DPO liable. Maton goes on to say:

There is, however, one significant BUT. If the DPO systematically provides incorrect or unsubstantiated advice or fails to provide independent advice (i.e. if the DPO provides advice that benefits the company rather than objectively protecting data), then the DPO is, in all probability, personally liable. (emphasis added)

How do you prove that you gave good advice, especially after a data breach has revealed an unforeseen event? The correctness of the advice depends, in the eyes of most people, on how the future turns out. If you didn’t guess well (i.e., luckily), the burden will be on you to prove your innocence. You will be judged subjectively by others, perhaps by others who have never been in your position. It is difficult to argue that an event was unforeseeable or extremely unlikely after it has just happened.

After a disaster everyone will be in self-defense mode, and memories will vary as to who said what, when. How much time does the DPO need to spend on his or her personal protection? It seems that the DPO is being asked to be able to provide tangible evidence for every significant act (and let’s face it, any act may turn out to be significant in hindsight). People might not read your emails; they might refuse to click the return-receipt even if they do read them. Again, the burden is on you.

Anyway, do you really want to work in the kind of position where you have to return-receipt everything? How do you allocate your time between protecting the data, the organization you work for, and yourself?

Let’s face it: the GDPR was created for the benefit of persons, the data subjects. The data processors and controllers are going to hate the GDPR for many reasons, such as:

  • it imposes new costs with no offsetting benefits
  • it comes on the heels of years of cost-cutting (outsourcing, cloud, off-shoring), leaving open the question of whether organizations have the technical capability to make wide-ranging changes successfully
  • it reduces revenue streams generated by data exploitation, with no offsetting revenue or savings
  • it exposes the organization to bad publicity (via incident reporting and audits)
  • it exposes the organization to fines and lawsuits (by victims of privacy violations)
  • it complicates cost-cutting strategies, such as cloud and outsourcing, at least when they involve non-EU entities
  • it opens up the potential nightmare of trying to retro-fit many old, fragile applications for GDPR compliance, a huge challenge for one such application, let alone for many of them in a short space of time
  • it likely will force wide-ranging and unwelcome changes in organizational habits, apart from application development

In short, the GDPR was created to protect the public (data subjects) by setting limits on data processors and controllers. You will represent the public, but be employed, paid by, and embedded in the organization whose interests are in conflict with those of the public.

And you, as DPO, will be the person who represents the GDPR within the organization. You will likely have no real authority over those who are burdened with the costs. If management can’t or won’t force your recommended changes, or if there is foot-dragging resistance, the level of GDPR compliance will fall far short of the DPA’s (Data Protection Authority) expectations. The burden of proof will be on you to justify your efforts and show that management ignored your advice. You will bear the risk not only of technical failure, but organizational failure as well.

To bring in a recent post (link), what if management simply overruled your advice and sent data abroad, as the Swedish Transport Authority did in that case? What are your options: threaten to quit? How many times can you do that? Would it even count in your favor later?

What person in possession of good risk-awareness would accept the potential loss of everything they own in exchange for a salary or a consulting rate? Maton summarizes the necessary qualities of a DPO thus:

  •     Legal know-how
  •     ICT know-how
  •     Business know-how
  •     Risk Management know-how
  •     Ability to report to Senior Management
  •     Social skills

In other words, a highly-skilled, experienced person with marketable talents across several domains, presumably the kind of person who could find other, less risky, employment.

Presumably the “risk know-how” of such a person extends to his or her own personal risk as well as the risks facing his or her employer. About the DPO’s knowledge of risk, Maton says:

You must show that you are dealing with the risks you have identified. You must show improvement and that risks disappear or that their impact and likelihood of risks arising is getting less. This will only be possible if you are able to correctly assess risks after having identified them. What is the impact if this risk becomes an issue and what is the likelihood of this happening?

I rest my case on whether a good DPO will be sensitive to personal risk.

Regarding the ability to “correctly assess risks” or, even worse, to show that “risks disappear” is to presume that the future is knowable. If that were the case, we’d be living in a different world.

I maintain that purported risk forecasting, done without mathematical or statistical rigor, is entirely subjective and likely riddled with cognitive biases. It cannot be held out as a rational or predictable basis for organizational risk-taking, at least not the choice of which defensive measures to pursue, given a limited allocation of resources. This is the heart of the matter: time and money are limited, while potential threats and protective measures are unlimited. The allocation between these competing goals is always made under uncertainty.

What, to take an example from a past post, was BUPA’s prior risk that an employee would copy 108,000 customer records? (see BUPA story) Assuming it happened, how might you forecast the impact? What if the employee didn’t steal the records, but had his or her data-filled laptop stolen; what are the odds (and impact) of outcome? As much as we would like to think otherwise, such likelihood is fundamentally unknowable, as is its impact.

Probability and statistics are no help if you have too little knowledge of possible outcomes to make an inference, in which case any assessment will be largely subjective. The un-knowability of both the probability and the impact of an event imply that liability insurance will be either impossible or too costly for an individual to afford.

A partial solution for an individual DPO at the moment is a contractual commitment by the employer (data processor or controller, which either has all-risks insurance or is large enough to self-insure) to assume any liability which may fall on the DPO as a result of his or her professional work. (I say ‘partial’ because you are still liable if the risk-assuming party fails to provide the promised compensation.)

After a disaster the DPO will be in the spotlight; it’s human nature to think that things are simpler than they are and to want to blame somebody. The mere possibility of ruin might leave you open to pressure to say or do things that you would not consider under normal circumstances.

Suppose you have a data disaster of the kind that happened to BUPA? One problem is that scenarios and counter-measures are infinite in number, another problem is that scenarios  are constantly multiplying and mutating. With benefit of hindsight, there will almost always be something that the DPO might have done to prevent the disaster. All the well-considered, risk-aware, blah-blah measures that you did take will be ignored.

In short, if you assume the DPO role you are accepting a downside of unknown probability and magnitude in exchange for the small upside of regular compensation. Unless and until liability has been unambiguously removed from the role of DPO, I would not advise anyone to subject themselves to such a risk.

Thanks to Flavio Saldicco for useful comments on this post.

Leave a Reply