The Data Protection and Digital Information Bill had its second reading on 19 December 2023. The Bill will replace the current requirement for organisations to appoint a data protection officer (DPO) with a requirement for a ‘senior responsible individual’[1] to oversee data protection risks within the organisation.
In this article, I explain why, from an ethical standpoint, it will be beneficial for you to seek data protection advice from external service providers, in addition to your in-house data protection professionals. While the concept of DPOs will be no longer be legally relevant if the new legislation passes, a comparison between internal and external DPOs is still morally relevant and enables us to look ahead and consider why external data protection service remains valuable in the future.
A DPO is someone who can support your organisation to process ‘the data of its staff, customers, providers or any other individuals [i.e. data subjects] in compliance with the applicable data protection rules’[2]. Under the UK GDPR, your organisation is required to appoint a Data Protection Officer (DPO) in the following situations:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
Special categories of data includes, for example:[3]
- personal data that reveals ethnic or racial origin, political opinions, religious or philosophical beliefs;
- trade-union membership;
- genetic data and biometric data processed solely for the identification of a human being;
- health data; and
- data related to a person’s sex life or sexual orientation.
For example, if you are a hospital processing considerable amount of special category data, a DPO is mandatory for your organisation. But it is also becoming increasingly common for organisations to appoint a DPO voluntarily, as the expertise of DPOs will help you to comply better with data protection rules. To be sure, the appointment of data protection professionals will no longer be a matter of choice once the new legislation passes if you’re a public body or if your processing activities will carry out ‘high risk’ to the rights of individuals, since it will be legally required that organisations employ a ‘senior individual’ to oversee their data practices.
Currently, you can hire either an internal or external DPO. An internal DPO is someone appointed within your organisation who oversees your compliance with data protection regulations. An external DPO is someone (a contractor, consultancy or specialised firm in data protection) outside of your organisation who monitors the lawfulness and rightfulness of your data practices. IGS, for example, is an independent and external provider of data protection services.
Benefits of Internal DPOs, and How External DPOs Might Secure Them
The clearest advantage of internal DPOs is that it is convenient for internal DPOs to provide data protection advice that take seriously the particular circumstances of their employers.
For example, different companies have different structures, processes, and cultures. The insider information and perspectives of internal DPOs could enable them to tailor data protection strategies, training and policies in a way that fits more closely into the specific needs of their organisations. Internal DPOs are also in a better position to gain a comprehensive rather than narrow view of the data protection risks within their organisations, since some of those risks might arise very specifically from the interactions between different teams within the organisation.
Finally, internal DPOs can consistently contribute their data protection wisdom on various occasions within an organisation and thus facilitate a data-protection-sensitive organisational culture, whereas the training offered by external DPOs is usually project-based and therefore has a less significant impact on the data protection culture of a company in the long run. In this respect, having an in-house data protection professional will be valuable.
Unlike internal DPOs, external DPOs tend to have less time to work with the internal teams of the relevant organisations. But there are ways for external DPOs to familiarise themselves with the organisations they advise as well.
Many external DPOs—including IGS, of course—conduct thorough assessments of an organisation’s data processes and procedures; we engage in regular and open communication with the key stakeholders within the organisations we serve; we can collaborate closely with the internal teams of an organisation, such as legal, IT and human resources, to acquire an insider perspective into the data practices of the organisation; we can have periodic on-site visits to gain a better understanding of the organisation’s culture and data practices; and so on. In particular, external DPOs can be dedicated to programmes designed to improve the long-term data protection culture of an organisation. In fact, many external DPOs are involved in the design of data protection training programmes for clients.
In short, the organisational attachment of internal DPOs does provide them with some conveniences, but external DPOs have a variety of ways to secure what these conveniences can be expected to achieve.
Therefore, it should not be denied that internal DPOs have more exposure to the particular structures, practices and processes of their organisations. But this does not mean that external DPOs can never have adequate exposure to those such that they have enough knowledge to fulfil their principal mission—that is, amongst other things, to oversee the lawfulness of data practices of an organisation and their compliance with the regulations. It is certainly feasible for external DPOs to work closely with their clients to develop such knowledge.
In the past, it was common for organisations to decide if they should appoint a DPO externally or internally. But the Data Protection and Digital Information Bill, if passed, will render this question irrelevant. Arguably, the functions of ‘the senior individual’ will be similar to those of internal DPOs, whereas the former is likely to play a more powerful role in an organisation. However, does this mean that organisations need not consider seeking data protection advice from external parties in future, if the new legislation comes into effect? No. My moral argument for the benefit of so doing is simple: external providers are in a less difficult position to uphold the virtues applicable to data protection professionals in general.
The Strengths of External DPOs, and Why They Are Still Relevant for the Future
Amongst other things, the key missions of DPOs include: (1) protecting individuals’ data rights, (2) ensuring compliance of an organisation’s data practice, (3) promoting lawful and ethical data practices in an organisational setting, (4) handling data breaches and incidents, and (5) improving the data protection measures of an organisation, to keep the measures up-to-date with evolving regulations and technologies.
Moreover, DPOs should carry out these duties on an impartial and independent basis. This is the key virtue of DPOs. Many in-house data protection specialists are no less knowledgeable about regulatory issues compared to external DPOs, but the fact that internal DPOs are employees of the organisation they serve does put them in difficult ethical dilemmas on certain occasions.
Internal DPOs might face difficulties balancing the interests of their organisations with their data protection duties. In some cases, they could be under the pressure to prioritise their organisations’ goals over data protection commitments.
For instance, suppose an organisation will suffer from great commercial loss unless it embraces certain risky data practices that approach the boundaries of data protection regulations. In this scenario, the organisation’s internal DPO will be somehow forced to approve those risky data practices.
Another example is when a tech firm attempts to develop a new app requiring extensive data collection from users. This is a very promising app: if successfully developed, it is likely to produce tremendous commercial gains. The enthusiasm of everyone within the firm for this new app can incentivise the firm’s internal DPO to downplay the legal and ethical consequences of the app’s extensive data collection.
Another difficulty internal DPOs may face is concerned with their relationship with senior management. Suppose an internal DPO reports to a senior colleague who has vested interests in potentially unethical or even unlawful data practices, with which the DPO is not entirely comfortable. But the DPO might fear losing support from senior colleagues if they raise concerns over those practices in an entirely transparent manner.
In short, because the career of internal DPOs is tied more closely to whether the advice they give align with the commercial interests of their senior management team, their advice is inevitably shaped by the power dynamics between themselves and the senior staff.
Of course, it is unfair to say that only internal DPOs will face ethical dilemmas stemming from conflict of interest. There are consulting firms (not just in the domain of data protection) which, in order to align with the commercial interests of their clients, deliberatively provide advice supporting their clients’ ethically risky business decisions, and thus fail to uphold their duty of impartiality. Likewise, in some cases external DPOs could sacrifice their professional duty for greater commercial gains.
In general, however, external DPOs are less tempted to be involved in such unprofessional advising practices. The reason is that external providers of data protection services, including IGS, often serve multiple customers and are less dependent on fulfilling the commercial interests of particular clients. This does not only enable us to offer data protection insights built upon our experience of working with a variety of clients, but we also have a higher degree of autonomy not to be involved in toxic business relationships that undermine our principal moral and professional duty of impartiality. This flexibility and autonomy is more difficult to balance in the case of in-house data protection professionals, whose career prospect are tied closely to the commercial interests of the organisations hosting them.
Conclusion
The aim of this article, it should be emphasised, is not to show that external DPOs are better than internal DPOs. Although there are many ways for external DPOs to acquire sufficient knowledge of an organisation to provide sound data protection advice, for instance, it is undeniable that the close attachment of internal DPOs to their own organisations makes insider knowledge more available to them.
Yet, in-house data protection professionals sometimes face difficult ethical dilemmas. On the one hand, they have a professional duty to take seriously the commercial interests of their organisation. On the other hand, they have a moral duty to be impartial when they offer data protect advice to their employers. In principle, we know that the second duty should take precedence over the first, but juggling between these two duties is in fact a difficult task facing a lot of data protection officers.
This difficult dilemma is unlikely to fade away even if the new legislation is in place. Whenever someone works for an organisation, even if their work is to oversee the practices of that organisation, in certain cases they inevitably struggle to remain fully independent, especially when conflict of interests arises. It is not yet obvious how the new legislation will mitigate this in any substantive way. In fact, now that the recruitment of in-house data protection professionals stands a high chance of becoming a legal requirement for organisations, we have even greater reason to consider the value of external service providers.
For one thing, when internal data protection professionals are forced to offer legally or ethically irresponsible advice, external data protection/ethics specialists will serve as gatekeepers. For another, in-house data protection/ethics professionals can work closely with external data protection/ethics professionals, utilising the distinctive strengths of each other. For example, the insider knowledge of the former can help the latter provide more tailored advice to an organisation, whereas the exposure of the latter to the data protection/ethics problems facing various clients can assist the former in understanding the common legal and ethical standards/problems of data processing for organisations.
Finally, IGS takes pride in our dedication to having both legal experts, who already have a code of ethics to abide by, and leading academic ethics experts to address your data protection problems. Many organisations have already had worked closely with data protection advisors in the legal domain, but it is not yet common for organisations to consult academically trained ethicists who actively research cutting-edge problems in data ethics. This is why, in addition to the strengths of external data protection professionals mentioned above, we are likely to provide distinctive insights.
[1] https://researchbriefings.files.parliament.uk/documents/LLN-2023-0050/2023-0050-Data-Protection-and-Digital-Information-Bill-LARGE.pdf
[2] https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en
[3] https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/sensitive-data/what-personal-data-considered-sensitive_en#:~:text=personal%20data%20revealing%20racial%20or,sex%20life%20or%20sexual%20orientation.