Lothar Determann, Baker & McKenzie partner
Image: courtesy photo
When you set out to design and implement a data privacy compliance program for a company or other organization, you face a number of threshold decisions and preparatory tasks, including putting a person or team in charge of data privacy law compliance.
Someone needs to be in charge. If your business is a one-person sole proprietorship, then you are in charge. In larger organizations, however, there are typically a number of individual candidates or departments that could take charge of data privacy compliance, including lawyers, information technology staff, human resources and internal audit personnel. Each of these groups tends to have a different approach, strengths, and limitations. Here are some factors to consider as you look for the right person or team:
• In-house attorneys in corporate legal departments usually take an advisory role and inform others in the organization what applicable laws require, including data privacy laws. Depending on company culture and individual styles, the legal department may advise proactively or upon request. Lawyers are trained to interpret and apply laws, including data privacy laws, but not all lawyers are technology savvy or good project managers.
• Members of the information technology department are technology savvy, but may not find it easy to understand and apply laws. IT professionals are trained in deploying and maintaining equipment, software, and services that other groups (human resources, sales, marketing, production, etc.) use to process personal data. The IT department supports these other groups and provides technology that aids other departments' business objectives. The IT department usually establishes and implements protocols to protect personal data from unauthorized access (by deploying data security measures), but does not typically decide on access privileges for individuals or legal compliance matters.
• Some companies have separate internal audit functions, which are concerned with monitoring and enforcing compliance with laws and internal policies. Such audit departments are focused on verifying that the rule of law or existing compliance programs is adhered to, but audit personnel do not typically define the rules. You lose an extra pair of eyes if you have the same person create and audit a program. Also, when audit personnel conduct investigations, they are at a particularly high risk of violating data privacy laws. Investigators often want to search email boxes, computers and files, interview third parties about suspicious conduct and occasionally intercept live calls and other communications without prior notice to the data subject. Therefore, some companies feel that they would be letting the fox guard the henhouse if they tasked audit staff with designing a privacy compliance program.
• Another option is to select individuals from data user groups within a company, such as human resources or marketing. Companies that develop or sell information technology products consider data privacy not only a compliance challenge, but also a business opportunity. For example, cloud computing service providers and enterprise software and data storage providers increasingly consider data privacy laws in the product development process to ensure that their customers can effectively use the products in compliance with applicable laws ("Privacy by Design"). In consumer markets, however, the jury is still out about whether privacy protections are a relevant differentiator — some believe that consumers just do not care enough.
In most larger businesses, the person in charge of data privacy compliance usually comes from any of the above departments or areas of specialization. Larger companies with a great exposure or interest relating to privacy laws may decide to create a new department or office. Smaller companies may find it sufficient to put someone in charge on a part-time basis. If a company has a legal department, attorneys are usually involved in data privacy compliance. Often, legal counsel take the lead regarding data privacy compliance. But, the ideal candidate for project management does not necessarily have to be a lawyer, particularly if a company views data privacy more as a business opportunity.
Whoever takes charge within a company will have to answer the big "Why" question to obtain sufficient resources and support from stakeholders: Why is a data privacy and security program important? For some companies, compliance is a matter of risk management and avoidance of sanctions and liability. Others care additionally about potential reputational risks and opportunities and view privacy compliance as a differentiator. Also, for some companies, data privacy and security compliance is a key condition to selling products and services, for example with data storage or software-as-a-service providers. When you start out implementing a compliance program in a company, it can be very helpful to prepare a brief white paper in FAQ format to raise awareness and gain support among key stakeholders within the organization.
Persons who take charge of designing and implementing data privacy compliance programs sometimes hold the title "data protection officer" or "chief privacy officer." The roles associated with these and similar titles can actually be quite different in nature and you should consider carefully whether your company needs one or the other, or both.
One key reason why multinational businesses have a data protection officer is because they have a presence in Germany. Most multinational businesses consider Germany an important market. Under German data protection law, companies are legally required to formally appoint a data protection officer with a watchdog role to supplement supervision by governmental data protection authorities.
Germany was the first country to introduce the concept of a data protection officer in an attempt to force self-regulation via a company-appointed guardian of privacy interests. Other jurisdictions with early data protection laws, including France, opted for government notification and approval requirements instead. A middle-ground approach was adopted by the Netherlands, Norway, Sweden, and Switzerland, for example. These countries give companies the option to appoint a data protection officer in lieu of submitting more substantive filings to data protection authorities.
Some companies model their compliance approach for all jurisdictions where they decide to appoint a local data protection officer after the German rules. This usually ensures compliance with local rules (as the German requirements tend to be the strictest and most comprehensive), but this is not legally required. Many companies also voluntarily appoint data protection officers or privacy compliance liaisons for countries where this is neither required nor incentivized or even contemplated. In addition, many larger U.S. companies have a chief privacy officer, often as well as compliance officers, internal auditors, specialized legal counsel for data privacy law compliance matters, information security officers, and trained privacy professionals.
If you select and appoint a data protection officer in accordance with German law, you typically satisfy the requirements of other jurisdictions that define such a role by statute, for example, France, the Netherlands, Norway, Sweden, and Switzerland, except that you may have to notify local authorities of the appointment. Companies do not tend to formally appoint data protection officers where local law does not offer any meaningful corresponding exemptions from other requirements. For example, French law provides for rights and duties of a data protection officer, but does not require or significantly reward the appointment. Thus, most companies opt against a formal appointment in France. But companies with a presence in the Netherlands, Norway, Sweden, Switzerland, or other jurisdictions that reward the appointment by dispensing with other filing requirements tend to opt for the appointment of a data protection officer. Some companies appoint the same person for several or all jurisdictions where a formal appointment is required. This is particularly efficient for companies that use global systems and procedures, which can be monitored best by one person.
Separate and apart from satisfying formal statutory requirements to appoint a data protection officer, larger organizations especially see operational advantages in establishing a network of local liaisons for data privacy compliance and other compliance efforts in order to have specialized local contacts who can help implement and monitor these legal programs. Also, many companies voluntarily appoint a "global privacy officer" or "chief privacy officer" to demonstrate internally and externally that the company takes data privacy compliance seriously. It may also be beneficial to have one point person who takes ownership and responsibility for this topic — which affects many other functions, including IT, HR, physical security, law, finance, and sales and operations.
For such informal and voluntary appointments and for jurisdictions where the role of data protection officer is not defined by statute (for example, the United States), it is important that the company defines the authority and duties of the privacy officer in a detailed written memo or agreement. In particular, companies need to define expectations as to whether the privacy officer shall advocate primarily for privacy or company interests; provide advice or make decisions; react or be proactive? Similarly, shall the privacy officer coordinate, support, supervise, or monitor colleagues in roles with overlapping responsibilities (such as compliance officers, internal auditors, privacy counsel in the legal department and information technology and security staff in the IT, marketing, and HR departments)?
Companies have to decide and document what the objectives and expectations are: Should the CPO be a coordinator, advocate, adviser and/or guardian of privacy or the company's interests in data and compliance? Each company should find its own way in this respect, and each company should define responsibilities and tasks clearly in writing, so that the appointed individual clearly understands rights, obligations and expectations. If roles are not clearly defined, a misalignment of expectations could easily result in uncomfortable conflicts. For example, if a global privacy officer at a U.S. company understands her role as independent and public policy-driven as a German data protection officer, she might be quick to notify U.S. authorities of concerns. Or, if a member of the legal department is appointed as "CPO" and shifts his approach from acting as legal counsel towards a more executive role, this could undermine attorney-client privilege in certain situations. Companies should consider these and other pros and cons before making voluntary appointments, and then describe the role in a detailed writing to increase the chances of achieving the desired benefits and to reduce the risk of unwanted consequences and conflicts.
Lothar Determann is an adjunct professor at UC-Hastings and affiliated with the UC-Hastings Privacy and Technology Project. He is a partner with Baker & McKenzie.
