Under the proposed General Data Protection Regulation, the function and tasks of the data protection officers (DPOs) are much more comprehensive and structured. At the IAPP’s Data Protection Congress in Brussels last week, four DPOs discussed how they expect their roles and responsibilities to change under the regulation and how they propose to leverage the opportunity.

Philippe Renaudière is DPO for the European Commission. He said while the number of complaints he receives yearly is limited, there’s always at least one that’s extremely serious and important, in which case the function of the DPO is to cooperate with the European Data Protection Supervisor (EDPS). But in general, from day to day, the role is much more pragmatic.

“That’s the first step: Raise awareness and create a culture of data protection. Train people,” said Renaudière. “I like that I’m a facilitator, because that’s my basic approach, my first approach to a problem. Normally, the commission is a decent institution with decent people who do decent things … It’s more a matter of explaining, defining the correct way.”

It’s also a bit about mediating and negotiating.

“Each time I’m involved at an early stage, I manage to find a solution agreeable to all,” Renaudière said. “The problem comes when people ignore my existence and then do stupid things.”

From left to right: Philippe Renaudière, Data Protection Officer, European Commission, Yvonne Cunnane, Head of Data Protection, Facebook, and Tobias Brautigam, Senior Legal Counsel, Microsoft Corporation

Similarly, Tobias Brautigam, CIPP/E, sees himself as a facilitator and an advisor more than a policeman. Brautigam worked for Nokia before it was acquired by Microsoft, where he is now senior legal counsel. At Nokia, he was primarily responsible for legal advice and program facilitation. When Microsoft acquired it, he became responsible for integration work as well. The shift was a bit tricky, he said, because Nokia had a very well functioning privacy program in place, so merging its program with Microsoft’s was a question of “which do you choose; how do you make that work?” he said.

These days, he’s mainly putting his skills to work as a privacy lawyer, either on new business ideas needing legal privacy advice early on or developing internal processes and communicating those. Additionally, he spends time putting out fires on an ad hoc basis.

“It’s a role where I make sure we have sufficient resources in the different units,” he said, adding the company has a training and awareness program in which he plays a role. “So much is changing. Proactively, I think of myself as an educator.”

It’s not so much his job to enforce or say no, he added, but more to advise on how to do things.

Yvonne Cunnane, head of data protection at Facebook Ireland, agrees she’s an educator first and foremost, both within the company and for users themselves. And that’s not her responsibility alone. Making sure privacy is at the heart of what the company does is a cross-functional effort, she said. She’s heavily involved in product review with the development team—at the early stages of the product cycle—and among the policy team, she said. Cunnane makes sure she’s talking to Facebook’s engineers to ensure they understand the company’s end goals, and she works “very, very closely with lawyers and third-party service providers,” she said.

Working with the policy team is essential because getting users to engage with Facebook is dependent on how empowered they feel. And that comes from messaging.

“It’s very important you can deliver the message in understandable, bite-sized ways,” she said. “That’s a very, very important skill to develop.”

Cunnane said another key part of her role is to cooperate and engage with regulators. Facebook Ireland’s prime supervisor is Ireland's DPA, but she said the company has a proactive outreach program to other regulators in the EU and globally.

“It’s very important that regulators understand what it is Facebook does,” she said. “It’s a very complex service we offer.”

Where Should the DPO Sit?         

Renaudière said his role is completely independent, attached to the highest administration in the commission.

“That gives me complete freedom to call or speak to anybody at any level,” he said. “I really like this position. I think it’s a very powerful tool for being efficient.”

But Citigroup EMEA DPO Stephan Geering, CIPP/E, said independence can be tough depending on the sector; most private companies will have someone approving the budget, so getting independence is tough to gain. In addition, it’s important to be positioned so that the DPO is viewed as someone who’s trusted and not as the enemy.

Being independent has its troubles, too.

“Some of you who work in big corporations will know,” he told the audience, “you’re sometimes very lonely, because people don’t want to talk to you. I think there’s a big conflict there that, yes, the independence is great and shouldn’t be pressurized by businesses, but at the same time, the independence has the risk, from my point of view, that if you lose this very important role as advisor and facilitator implementing these important concepts of Privacy by Design and by default, you’re taken out of the loops and businesses go ahead with what they think is great. It’s dangerous.”

Facebook’s Cunnane sits in the legal department, though her background is in IT. But she reiterated the role is very cross-functional and touches many departments, which is essential.

“You really need to know the business,” she said. “You’ve got to get down in the grassroots of the business, because there’s only so much one person can do or one level of knowledge one person can have … you can just all collaborate together for the best possible outcome.”

Brautigam said, like Cunnane, he essentially sits in every department. He said there’s privacy officers in IT, HR, legal, and they all cooperate either through boards or hierarchy. But, he said, sitting in legal has its advantages.

“My experience is, if you say ‘I’m a lawyer,’ people listen,” he said. “They should listen anyway, but I think it’s a strong argument to put it in that function.”

But where should the position sit under the new regulation?

“In many cases, there’s no right answer,” Geering said.

Regulation Means Role Shifts to Enforcer

Moderating the session was Bridget Treacy of Hunton & Williams, who noted the regulation will empower the DPO to be more of an enforcer, with the legal task to monitor compliance. And while, especially in smaller organizations, having more liability and responsibility may improve DPO standing in their companies, it also means a risk.

Renaudière said he likes the idea of an emergency brake, where when something looks very wrong, the DPO can go to the top of the organization and report it or go to the EDPS.

“But I think this should be the exception, because if this becomes the rule, you lose the role of facilitator and advisor. You cannot both facilitate and be an internal agent of the supervisor. This discussion in the coming month is crucial,” he said.