Help — my GDPR inbox is overflowing!

Michael Gentle
Oct 21, 2018 · 2 min read

How can controllers balance regulatory and operational responsibilities?

Prior to GDPR, data privacy hardly figured on the radar screen of operational managers in marketing, sales or HR. It was a footnote for Legal to deal with. Now they find themselves with the additional responsibility of data controller, with a list of obligations as long as my arm.

Overlaying regulatory responsibilities onto an operational role can be risky because it sets up competing objectives which could result in data protection taking a secondary role to business interests.

So, controllers are clearly going to need help if they are to meet their compliance obligations without impacting their operational responsibilities.

What are the possible solutions?

Well, a marketing manager could create a new data-protection role in her department and make it part of someone’s job. But if all controllers did this, it would be duplication — not to mention a siloed view of GDPR across the organisation.

A far better solution would be to centralise this new function under the DPO. This would be a logical extension of their role under Article 39, which is to inform and advise controllers on their obligations and to monitor their compliance. And since it would be challenging for a DPO in any reasonably-sized organisation to do all of this by himself, he will inevitably end up with his own budget, staff and resources — in other words a Data Protection Office.

An analogy would be the PMO (Project Management Office), which provides enterprise-wide project governance and helps departments to run projects more effectively. Similarly, the Data Protection Office would proactively assist data controllers in their compliance obligations, enabling them to focus on their operational responsibilities.

Without a central Data Protection Office, we’d essentially be asking already-overworked operational managers to somehow find a way to balance their existing business responsibilities with high-stakes regulatory obligations. This would increase the risks of non-compliance, since operations usually trump regulation.

Michael Gentle is the founder of The Balance of Privacy, based in Geneva. For similar articles by Michael, click here.

The Balance of Privacy

Data privacy is the new normal

Michael Gentle is the founder of The Balance of Privacy, a GDPR consultancy in Geneva.

Data privacy is the new normal

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade