Help — my GDPR inbox is overflowing!

Michael Gentle
Oct 21, 2018 · 2 min read

How can controllers balance regulatory and operational responsibilities?

Image for post
Image for post

Prior to GDPR, data privacy hardly figured on the radar screen of operational managers in marketing, sales or HR. It was a footnote for Legal to deal with. Now they find themselves with the additional responsibility of data controller, with a list of obligations as long as my arm.

Overlaying regulatory responsibilities onto an operational role can be risky because it sets up competing objectives which could result in data protection taking a secondary role to business interests.

So, controllers are clearly going to need help if they are to meet their compliance obligations without impacting their operational responsibilities.

What are the possible solutions?

Well, a marketing manager could create a new data-protection role in her department and make it part of someone’s job. But if all controllers did this, it would be duplication — not to mention a siloed view of GDPR across the organisation.

A far better solution would be to centralise this new function under the DPO. This would be a logical extension of their role under Article 39, which is to inform and advise controllers on their obligations and to monitor their compliance. And since it would be challenging for a DPO in any reasonably-sized organisation to do all of this by himself, he will inevitably end up with his own budget, staff and resources — in other words a Data Protection Office.

An analogy would be the PMO (Project Management Office), which provides enterprise-wide project governance and helps departments to run projects more effectively. Similarly, the Data Protection Office would proactively assist data controllers in their compliance obligations, enabling them to focus on their operational responsibilities.

Without a central Data Protection Office, we’d essentially be asking already-overworked operational managers to somehow find a way to balance their existing business responsibilities with high-stakes regulatory obligations. This would increase the risks of non-compliance, since operations usually trump regulation.

Michael Gentle is the founder of The Balance of Privacy, based in Geneva. For similar articles by Michael, click here.

The Balance of Privacy

Data privacy is the new normal

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store