Skip to main content

Does your DPO have a Conflict of Interest?

Written by Brendan Walsh on . Posted in Data Governance, Data Privacy, Data Protection, Glossary. No Comments on Does your DPO have a Conflict of Interest?

What is a DPO?

Unlike many other areas of compliance, data privacy adherence is not something that can be audited once and then presumed to continue for the foreseeable future.

Data is the most voluminous, mobile, essential and potentially dangerous asset any business owns. It is created, deleted and interacted with constantly, often in new ways by new individuals.

A point in time audit is simply not suitable for continuous oversight of how data is treated.

It is this unavoidable truth that led the GDPR legislators to require organizations that process the most data, and/or the most sensitive data, to ensure that the interests of the data subject are continually and adequately represented in any and all data processing. Hence, the mandated requirement for the Data Protection Officer (DPO).

Under Article 37, DPOs are a mandated requirement if:

  • You are a public authority or body
  • You are an organisation whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale (e.g. online behaviour tracking)
  • You engage in the processing of large volumes of special category data, or data related to criminal offences and convictions

The DPO’s tasks are outlined in Article 39 of the GDPR as:

  • To inform and advise the business and its employees of their GDPR obligations.
  • To monitor and audit compliance with the GDPR and the business’ data processing policies, including the assignment of responsibilities, awareness-raising and training of staff.
  • To manage data protection impact assessments, and monitor their outcomes.
  • To cooperate with and serve as the contact point for Supervisory Authorities.

Appointing a DPO internally

Many mandated businesses have dutifully appointed their DPO. They have consciously sought to avoid the expense, time and difficulty of hiring a new head, and distilled the requirements and responsibilities to their raw essences and found a person internally who:

  • Understands the way the company ingests and uses data
  • Has the standing and breadth of involvement in the business to appreciate every data workflow
  • Is experienced in the administrative, legalistic and monitoring sides of compliance
  • Is senior and credible enough – as the GDPR requires – to interact with, advise and perhaps argue with the highest levels of the business

This seems suitable. The rights and interests of the data subjects appear to be best protected by a person who has this experience and background, and who can monitor the organization’s activities and ensure their adherence to the rules and the sentiment of GDPR, such as the CIO, CISO, Head of Compliance, Head of Legal, even the CEO.

These organizations seem to be acting in totally good faith. After all, Article 38(6) even allows the DPO role to be secondary role on top of day-to-day operations.

But they have forgotten an underlying principle of the GDPR: the DPO must be independent.

By expecting someone who also has responsibility for the management, oversight, strategy or security of data and how it is processed (i.e. a data controller), to also scrutinise, critique and object to those same processes on behalf of data subjects is creating a conflict of interest.

It is like asking students to mark their own homework. As much as they may be obliged to remain impartial, they have their own obligations, objectives and interests that prevent them from being completely and undeniably impartial.

No matter how ethically they may think they act, it represents a compliance failure.

The danger

And legislators are hot on this. Most Supervisory Authorities, including the UK’s Information Commissioner’s Office (ICO), have issued specific guidance on how to avoid conflict of interest. While this proactive support shows that the SAs intend to help businesses avoid making this error, the flipside is that it also means they will not tolerate failure.

Indeed, fines have started to be handed to firms who overstep, intentionally or otherwise. A prime example is a E50,000 penalty for a Belgian telecoms operator whose DPO was also their Head of Compliance, responsible for the compliance, risk management and audit functions. Dispassionate and independent review of their data protection processes from a data subject’s perspective versus the business’ was deemed impossible.

Some examples of roles often asked to also take on the DPO role

  • CIOs
    who define the IT strategy, including where data resides, how it is accessed and who by, and on which platforms.
  • CISOs
    who build security strategies that prioritize certain measures or defending against certain cybersecurity threats.
  • COOs and CEOs
    who have responsibility and/or influence over how data is processed, for what purpose and through what tools.
  • Heads of legal
    who balance the interests of the organization against what is permissible or possible under the law.
  • Heads of compliance
    who balance the organization’s needs and operations with the requirements of various regulatory frameworks.
  • Heads of departments
    E.g. marketing and HR, who determine how data is processed within their teams in order to meet their objectives.

The whole point of the DPO is to stand apart from the interests of the business and be the voice of the data subject.

How can any of these roles – all of which put the interests of the business first – be compatible with a second role that expects them to demand the business undertakes specific actions that will protect the interests of the data subject? Or even to spot the need for additional actions. External perspective is often key.

Should you outsource your DPO?

A company must appoint a DPO who is free to operate independently. There should be no pressure from management, or risk of insufficient perspective on data-centric processes or strategies that may jeopardize the continuous privacy of personal data.

If you suspect your current internal DPO appointment is putting your GDPR adherence at risk, then you should consider making a change soon.

Reasons for considering outsourcing the DPO role:

  • Guarantees impartiality
    Appointing an external party is specifically permitted under the GDPR, due to the ability for the person to avoid conflict of interest, act dispassionately and often challenge senior management easier.
  • Greater accuracy
    An external DPO is likely to perform better than an internally-appointed DPO who may be restricted by the working practices of the business or by not wishing to undermine wider objectives.
  • Wider skillsets
    The better tier of outsourced DPO services bring not only legal expertise, but also data security and technology, plus experience across numerous jurisdictions and data privacy frameworks.
  • A show of trust
    It shows data subjects and Supervisory Authorities that you take the privacy of data seriously, and are not willing to take dangerous short cuts to adherence.
  • Faster to appoint
    Some try to hire a dedicated DPO, but find they are in high demand and short supply – some reports say 1 candidate to 10 open roles, and many taking over a year to appoint.
  • Significant savings
    Because of how rare suitably qualified people are, they often command a premium salary. Outsourcing the role is far more cost-efficient, and tends to bring wider skillsets.

How Calligo can help

Calligo’s expert and highly-qualified data privacy consultants, who each have a unique mix of legal, technical and infosecurity expertise, are ideally suited to serve as your outsourced Data Protection Officer.

Our DPO as a Service clients range from SME to the largest enterprises, span every sector, multiple geographies and privacy regulations, and process some of the most sensitive categories of data.

Our experts provide ongoing monitoring and audits of the collection and processing of personal data, plus staff training to ensure our clients’ total and ongoing protection. They also represent your organization to both data subjects and Supervisory Authorities .

To find out more about our Data Protection Officer as a Service, click the button below and speak to our expert Data Privacy Consultants

Data Privacy Update: Virginia Consumer Data Protection Act (VCDPA)

Written by Brendan Walsh on . Posted in Data Governance, Data Privacy, Glossary. No Comments on Data Privacy Update: Virginia Consumer Data Protection Act (VCDPA)

And so it continues. Last month, Virginia passed its own privacy law, the Virginia Consumer Data Protection Act (VCDPA), adding fuel to the fire over a US federal privacy law, and introducing new complexities for businesses operating in or addressing the US market.

It will take effect on January 1, 2023 (the same day as California’s CPRA which amends the current CCPA) and was passed in record-breaking time: less than two months, and by an overwhelming majority.

Such was its speed and simplicity that many other state bills are actively mimicking some of its propositions, including Colorado, Connecticut and Minnesota.

Theoretically, this active copycatting will limit the ongoing differences between state laws, but this of course remains to be seen.

Continue reading

The Data Privacy ‘To Do List’ for the new US administration

Written by Brendan Walsh on . Posted in Data Governance, Data Privacy, Glossary. No Comments on The Data Privacy ‘To Do List’ for the new US administration

A new administrion is a federal privacy law.

It is a conversa

The US should learn from this. It has after all its own longstanding experience of how state by state commerce rules can at times create difficulties and additional expense. Law-making and enforcement is notoriously especially tricky. Imagine what happens with ddegree of protection and oversight.

This creates excessive regulatory burdens and hampers innovation.

But it is easily solved: recognise that the sensitivity of personal data can be classified not only by its technical category but also by its potency.

The US administration – as the government whose states are creating and debating the most privacy laws, and that oversees some of the largest technology organizations in the world – has an opportunity to address the proliferation of data-hungry organizations, control their appetites, while also appreciating the true variety of personal data beyond simple technical classifications.

To do so would not only earn the simultaneous approval of ‘big tech’ and small innovators, but also legislators, policymakers and privacy professionals who labour under this absurdity every day. And it would lay the foundations for the most modern and up to date privacy framework in the world.

A new administration in the most influential economy in the world triggers news hopes and expectations in every industry. But if major change were to be on the agenda, what would be the most beneficial, transformative, impactful or prudent new data privacy initiatives that the new US administration ought to introduce?

Continue reading

The Two Halves of Cloud Migration

Written by Brendan Walsh on . Posted in Cloud Migration, Cloud Services Insights, Cloud Strategy. No Comments on The Two Halves of Cloud Migration

Cloud migration projects are like going on journeys – multiple directions to take, sights to see along the way and plenty of obstacles!

Journeys like this need guidebooks, written by people who have travelled the route hundreds of times before, just as Calligo has.

Calligo has created two guidebooks – one for each half of the journey – and a map, that together will help you identify the obstacles to overcome and the common wrong turns.

1st Half: Exploring the business case, planning your trip and setting off on the expedition
 

What does the first half of the cloud migration journey entail? 

Defining your strategy
 

        Measurable Business Objectives

A successful cloud migration needs to have clear and defined business objectives planned from the very start. There are three different types of objectives to consider: technical, strategic and end-user. All three need to be considered equally, ensuring you have balanced project outcomes that will benefit every corner of the business.

        Public, Private or Hybrid Cloud?

Deciding which approach will be most beneficial to your business early on is crucial. Much of the success of the project depends on the suitability of the model you choose, so this is undoubtedly the area that requires the most careful consideration – and the hardest to reverse out of if you get it wrong.

        Application Analysis

For any cloud migration, conduct a thorough assessment of all applications, tools and processes to determine their suitability for the cloud. It’s also important to be flexible when analysing your current applications; not everything will be suitable for the cloud, and some legacy applications can be replaced with newer cloud-based tools.

Vendor Selection
Once you have decided on your strategy, you now have to make the most important decision – the most suitable vendor to help you deliver on them. There are two areas to consider here: the technology and the service.

        Technical preferences

These include questions like the vendors’ data centre locations and whether they meet your practical and data residency needs, or whether they have the security and governance frameworks in place to satisfy your own policies, plus a roadmap of development that will keep up with your needs.

       Service preferences

What type of service are you looking for in a vendor? Do you need the support of a dedicated account manager or team, or is a personal service not necessary? What metrics are you looking for? Are the contracts and SLA assurances sufficient for your business and customers? And what additional useful services are in the portfolio that could help you not just store your data, but also help your teams extract insights from it, maintain its compliance or optimise the delivery of your data?

Compliance frameworks

What compliance frameworks can your potential vendor prove adherence to, and which are important to you? For example, ISO 27001, ISO 9001 and SOC 2 are all reasonably typical, but what is their stance on ISO 27018, the first international code of practice for the protection of persona data?

And how can they support your data residency and sovereignty needs? Are you nervous about the CLOUD Act or FISAs and will this vendor be vulnerable to such government data access requests?

2nd Half: How to perform the migration itself

Here are just some of the key aspects of any migration project.

        The 6Rs of Cloud Migration

The six potential courses of action for each application when migrating to the cloud, including Rehosting, Rearchitecting or Retiring. You can find out more about the 6Rs of cloud migration, here.

        Interoperability and Portability

Interoperability is vital to ensure as it enables cloud services to understand each other’s APIs and data formats in order to co-operate. It’s often frustrating due to a lack of standards, but it is regardless the key to much of the ROI of a cloud migration.

        Portability

The ability to move your cloud environment from one cloud provider to another, often in response to price increases or outgrowing the current vendor. Fail to ensure this, and you will create your legacy of tomorrow.

        Supplier management

A cloud migration inevitably involves the input of numerous suppliers. The main cloud platform provider is, of course, the key one, but you may also have new and pre-existing software vendors, MSPs and connectivity providers to consider – all of whom may have their own demands on the timeline.

        Hidden costs

Just because the shift to the cloud removes the burdensome CAPEX investments, it does not mean the OPEX spend requires any less scrutiny. The benefit of OPEX models is that businesses only pay for what they use. What many forget is that the other side of this coin is that without constant oversight, there is a real danger of paying for surplus resources.

Interested in migrating to the cloud?

Our team of experts will guide you through the most appropriate deployment of cloud technology for your business. We’ll design a bespoke cloud strategy for your organization, ensuring your security and accessibility needs are met plus any data privacy obligations. The team will also select the most suitable platform and ensure a quick and smooth loud migration.

What is California Consumer Privacy Act (CCPA)?

Written by Brendan Walsh on . Posted in Data Governance, Data Privacy. No Comments on What is California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act (CCPA) is a Californian data protection law that governs how businesses are allowed to collect, process and share the personal information of California residents. The CCPA was enacted on January 1st, 2020 and enforcement began on July 1st, 2020, and is the most recent law to set the standard for ensuring data privacy in the United States of America.

Continue reading