The recent conference titled ‘Digital Challenges & Law’, organised by the Malita IT Law Association (MITLA), provided an interesting and rewarding opportunity for a deep dive into, among many topics, the recently enacted Digital Services Act and the latest developments on the European Digital Identity Wallet.
I had the privilege of participating in a discussion about the role of data protection officers (DPO) and the many misconceptions that surround it. In addition to the DPO role not being fully understood, many companies are leaving themselves exposed by not having adequate strategies in place to comply with data protection legislation and largely ignoring emerging legal guidance around this topic.
Misconceptions about the DPO role
The truth is that there are two key aspects to the DPO role. On the one hand, the DPO monitors an organisation’s operations to ensure compliance with the
General Data Protection Regulation (GDPR), member state laws and internal policies, including raising awareness among staff.
On the other hand, a DPO should also be involved early in discussions relating to personal data processes. This means they can assist and advise on the best way to achieve business objectives while ensuring adherence to all legal obligations.
By advising on best practices for data handling and privacy, the DPO is well placed to help an organisation innovate safely, enabling the ethical use of data analytics, AI and other technologies that drive growth. This is the approach we adopt at Melita.
In other words, the role of the DPO extends, or should extend, beyond fulfilling compliance duties. The ability to advise on shaping business goals in line with data protection principles and advocating for privacy by design ensures an ethical approach to data management. This allows organisations to leverage data as a strategic asset for growth and innovation while building customer trust.
Maintaining a proper approach to the DPO role
Of course, adopting this approach requires an organisation to allocate the appropriate resources and, as importantly, to understand the need to maintain a proper separation between their obligations as a controller or processor, and the DPO’s own obligations and duties as set out under the GDPR.
The GDPR imposes several obligations onto controllers and processors, such as that of carrying out Data Protection Impact Assessments (DPIA), reporting breaches and keeping records of processing activities.
While the DPO is there to inform and advise the organisation of its obligations, they have no responsibility for carrying out the tasks required to meet them. In fact, the DPO should have the facility to monitor the organisation’s compliance and provide an independent review of any data processes, reporting any data protection issues directly to senior management.
Their expertise is an asset which should be used to develop better products and services for customers
It is important, therefore, to create a clear job description for DPOs and for organisations to also set out who is responsible for carrying out certain tasks. It is also crucial to allocate training time for the DPO, to keep abreast of the law and guidelines surrounding their role.
Ensuring the DPO’s independence is fundamental to their integrity and effectiveness. Without independence, the DPO cannot provide the objective oversight and advice necessary to ensure compliance with the GDPR.
Achieving this and avoiding conflicts of interest between the role and the business objectives of an organisation must be based on open dialogue with senior management and the creation of a supportive environment that allows the DPO to work independently. Encouraging open communication and mutual respect can help ensure that the DPO’s recommendations are taken seriously and endorsed for the common good of the organisation.
Not just a compliance function
For many, the DPO exists just to ensure compliance with the GDPR. This is an important aspect of the role, but a DPO can, and should, be a lot more to organisations. Their expertise is an asset which should be used to develop better products and services for customers, making the best use of data and technology, to drive innovation and success.
At Melita, the DPO is involved from the early stages of every product development, new technologies and analytics, and supplier onboarding that involve processing of personal data. This proactive involvement allows the DPO to assess and advise on how any risks may be mitigated towards compliance with the GDPR.
By integrating the DPO into these processes, Melita ensures that data protection is considered from the outset to safeguard the interests of its customers, fostering a culture of privacy by design and default.
Amelie Abela Busuttil is senior legal counsel and data protection officer at Melita.