Should DPOs take responsibility for risk?
A Data Protection Officer’s job is to inform their organisation about their data protection obligations and advise on risks relating their processing of personal data. But should a DPO ever take on the responsibility for a business risk?
Many organisations apply a ‘three lines of defence’ model for risk management. This is where the business functions that process data ‘own’ the risk, specialists like the DPO & CISO advise the business owners and an internal or external audit function provides independent assurance. Here’s a simplified diagram.
In this model the second and third lines of defence should never become risk owners. The DPO (and CISO where appropriate) provide specialist advice to the risk owners, enabling them to understand their obligations and risk profile fully so they can make well informed decisions about how best to treat any privacy risks.
For example, risk owners, acting under advice from the DPO, must ensure appropriate technical and organisational measures are in place to protect the data.
However, in the real world, this model can come under strain. Sometimes those who should take responsibility as risk owners can have slippery shoulders and refuse to take on the risks. For certain kinds of processing (such as where data is used for analytics, insight & modelling) the processing risks may be shared across multiple business functions.
Other processing doesn’t seem to sit conveniently with anyone. So, things can fall through the cracks and nobody takes responsibility for making firm decisions. On these occasions a DPO might come under pressure to take risk ownership themselves. But should they push back?
This question was raised during our recent Privacy Question Time. We asked our 170-strong audience for their thoughts before our panel gave their views.
Do you think the DPO should take responsibility for privacy risks?
The results were pretty conclusive!
Chris Whitewood, Privacy & Data Protection Officer at Direct Line Group, agrees the risk shouldn’t sit with him:
“I think as a DPO advice and guidance to the business is crucial. It’s our job to impart knowledge and challenge how the business processes data. But you have to come back to accountability and at the end of the day it’s the business that uses the data, collects the data and runs with it.
Our job as DPOs is to set the parameters for how they do this in a compliant way, coupled with independent challenge and oversight. The responsibility for managing risk sits with them. We’ve tried to push ownership back to the business areas, so they understand the risks they are running and can demonstrate the controls they have around those risks.”
Conflict of interests?
GDPR tells us, “data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner” (Recital 97).
The ICO, in line with European (EDPB) guidelines, says:
“…the DPO cannot hold a position within your organisation that leads him or her to determine the purposes and the means of the processing of personal data. At the same time, the DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests.”
So, if the DPO took ownership of an area of risk, and played a part in deciding what measures and controls should be put in place, could they may be considered to be ‘determining the means of the processing’? If so, this could perhaps lead to a conflict of interest when their role requires them to act independently.
It’s easy for the legislators and regulators to put this in black and white, but we all know in the real word these matters are rarely as clear cut. Often it isn’t straightforward, as Debbie Evans, Global Group Data Protection Officer for Rentokil-Initial explains:
“I maintain a risk register, and where I can, I ensure an appropriate business owner is identified and accountable for the appropriate risk. However, I’ve felt compelled to take accountability for certain risks where there is a lack of a clear business owner.
Whilst this is not ideal, I feel duty bound to take responsibility but ultimately, I want to make somebody on the operational side of the business accountable for the risk.“
So, in theory we agree DPOs shouldn’t own business risks. But in the real-world this is not clear cut and may not be always possible.