How can controllers balance regulatory and operational responsibilities?
Prior to GDPR, data privacy hardly figured on the radar screen of operational managers in marketing, sales or HR. It was a footnote for Legal to deal with. Now they find themselves with the additional responsibility of data controller, with a list of obligations as long as my arm.
Overlaying regulatory responsibilities onto an operational role can be risky because it sets up competing objectives which could result in data protection taking a secondary role to business interests.
So, controllers are clearly going to need help if they are to meet their compliance obligations without impacting their operational responsibilities.
What are the possible solutions?
Well, a marketing manager could create a new data-protection role in her department and make it part of someone’s job. But if all controllers did this, it would be duplication — not to mention a siloed view of GDPR across the organisation.
A far better solution would be to centralise this new function under the DPO. This would be a logical extension of their role under Article 39, which is to inform and advise controllers on their obligations and to monitor their compliance. And since it would be challenging for a DPO in any reasonably-sized organisation to do all of this by himself, he will inevitably end up with his own budget, staff and resources — in other words a Data Protection Office.
An analogy would be the PMO (Project Management Office), which provides enterprise-wide project governance and helps departments to run projects more effectively. Similarly, the Data Protection Office would proactively assist data controllers in their compliance obligations, enabling them to focus on their operational responsibilities.
Without a central Data Protection Office, we’d essentially be asking already-overworked operational managers to somehow find a way to balance their existing business responsibilities with high-stakes regulatory obligations. This would increase the risks of non-compliance, since operations usually trump regulation.