Misconstruing Data Protection Officer function within organisations
WH E N FUNKE OPENED a bank account with this new Nigerian digital bank, she had no idea that what lay ahead would undo her emotionally and financially.
The bank’s marketing fluff had caught her some months ago, the founder’s entrepreneurial vivacity thrilled her, and she decided to open an account with the bank. Funke finds out that the bank’s information privacy procedures don’t match their website’s privacy notice about six months later. She receives texts from third party vendors every time she uses her ATM card, and she feels the bank monitors her every day through several unknown means.
Now, would you, dear reader, like your bank to track where you go daily?
Funke’s experience is the kind of story that tends to come to light only when something serious happens. Maybe when she loses a substantial sum of money or someone uses her identity for fraudulent endeavours.
The digital bank’s Data Protection Officer (DPO), who also doubles up as the Chief Information Security Officer (CISO), knows about this issue and raised it in various board meetings. However, the bank’s entrepreneurial founder is adamant and argues that those vendors add to its revenue. The data protection officer knows the founder is wrong and mentions it in meetings, but this often leads to boardroom squabbles. In this situation, what can the data protection officer do? Does he resign or blow the whistle?
The data protection officer role carries various functions within an organisation, but only two consistent features stand out: the ability to act independently and autonomously. These “independent” and “autonomous” features are missing in most data protection officer functions.
Most data protection officers work in a biased position and often perform their tasks with the fear of not getting thrown out by their employer. Any organisation that prioritises data privacy would allow the data protection officer to perform their functions without judgement.
But most companies make no such concession to these data privacy realities. They continue to believe that the data protection officer’s role shouldn’t have that independence, while refusing to understand the meaning of what matters the most in data privacy frameworks: monitoring and audits.
They continue with the fiction that this role’s only function is to be a part of the company’s data privacy team, ensuring that the company is abiding by data privacy regulatory laws and shouldn’t betray the company’s brand. These companies forget that data protection officers in their position can advise the board on what to do. If necessary or where the company doesn’t want to align with global data privacy standards, the data protection officer can escalate issues to the data protection authorities within that business jurisdiction.
Such companies’ longterm data privacy approach is skewed and exposes the company to data privacy breaches. It is not about some nebulous, bureaucratic office politics, and instead, it is about prioritising the consumer and business expectation.
In the example above, I don’t think Funke will want to bank with a banker who processes her information for other reasons outside the initial contractual obligations. In such a situation, the data protection officer should have the power to work with the technical team to stop all unlawful processing without fear of board repercussions.
As a rule of thumb, the data protection officer’s role should not be conflicted with other senior management positions or any different role in the organisation. Where possible, it should be a standalone function that reports into the c-suite level and updates the data protection authorities.
In a previous article, I enumerated the data protection officer’s role and how their role helps shape the company’s information management schemes. Failure to understand the function of a data protection officer in an organisation often leads to confusion. It exposes the data privacy knowledge gap within the executive levels of an organisation.
Organisations must learn to give them autonomy and trust them enough to act independently. Some organisations fear extending that “power” to a data protection officer might backfire. I don’t think that is the case. Only companies with dodgy privacy frameworks have to fear.
There’s nothing to gain in misconstruing the role of a data protection officer within an organisation. Any organisation that is confused about how to fix the position within its structure should seek help. It will be a gift to the rest of the business and in the long run, help the company to ward off regulators, enhance their overall business function and promote its global competitive edge. There are many Funke cases out there, but organisations can empower their DPOs to carry out their mandated functions.