Two areas that I have been thinking about recently, which I think will form a key part of my research moving forward, are that of conflict of interest and to what extent the required skills and competencies of a DPO should be determined by the environment in which they are working.
I am going to return to the conflict of interest element when I have had an opportunity to think it through a little more and focus on the challenges for skillsets for DPOs. Recent discussions with a number of people have highlighted many issues with interpreting and applying the legislation around the role of the DPO, in particular the required competencies and whether these can be somehow scaled depending on the nature, size or processing activities.
Having also worked with food hygiene legislation for a number of years, the underpinning regulation for the hygiene of foodstuffs (Regulation EC 852/2004) introduced the requirement for both documents demonstrating compliance and the training for staff involved in the processing of food. Importantly, both of these elements are required by law to be “commensurate” to either the nature and size of the food business, or the work activities required from the person being trained. Is this something that could be used in the field of data protection in relation to the “professional qualities” and “expert knowledge” of the DPO?
The food hygiene model for skills and competencies leaves the decision as to whether an organisation has achieved the necessary balance to the regulators. The industry has also developed associated best practice to assist people with understanding and interpreting what “commensurate” will mean in the context of their own businesses and organisation. Having engaged with various discussions and debates, I think this flexibility is something that may be fundamentally missing from current interpretations of the General Data Protection Regulation (GDPR) and associated domestic legislation although perhaps there is room to interpret the legislation in this way? The GDPR has much more of a risk-focused approach than previous data protection law and therefore can a DPO’s skillset be developed based on the risk associated with processing activities?
The schemes issued to date by the Spanish and French regulators would suggest not. They propose that those named as a DPO should have knowledge in certain areas and in some cases, tasks that every DPO should be able to complete, as well as a common method of assessment. You can find a comparison of both schemes by clicking the button below. What is interesting about these schemes is that, at a very simplistic level of analysis, while they cover similar topics, they appear to be set at different levels of competence. Therefore, even if we use these schemes to try to begin to understand the different topics of law that we need to be competent in as a DPO, it remains questionable as to what level those competencies need to be developed. These two schemes have attempted to ensure that if a person is a DPO, they will have certain associated skills and competencies and be able to carry out the tasks of a DPO regardless of context.
Comparing both of these schemes to the qualification frameworks there seem to be some fundamental contrasts. I have used the Scottish Credit and Qualifications Framework (SCQF) although there are schemes across Europe which can all be mapped to the European Qualifications Framework. These frameworks are based on learning outcomes and what people are able to demonstrate once they have completed a pathway of learning. There are 5 different characteristics in the SCQF that are assessed to produce a combined score for a particular learning activity.
- Knowledge and understanding
- Practice: applied knowledge, skills and understanding
- Generic cognitive skills
- Communication, ICT and numeracy skills
- Autonomy, accountability and working with others
Analysis of both schemes would need to be carried out to a much more detailed level although I have provided a few examples below to illustrate my point.
The French scheme requires that a DPO knows “how to participate in identifying security measures that are suited to the risks and nature of the processing operations” compared to the Spanish scheme. This requires a DPO to “implement security measures that are suited to the risks and nature of processing operations”. This suggests that not only does the Spanish scheme require a higher level of knowledge about data protection, security measures (which are likely to be ICT related) and implementation of these measures, by implication there is an expected level of autonomy and/or ability to take control or manage initiatives through to completion.
The French scheme requires that a DPO is “familiar with the documentation of data breaches”. By contrast, the Spanish scheme requires the DPO to “establish procedures to manage violations of data security, including assessing risk to the data subjects and procedures to notify supervisory authorities and data subjects”. A person’s skills and competencies are likely to need to be far more developed in a number of the 5 areas to comply with the Spanish scheme when compared to the French, particularly when considering the range of organisations that a DPO may work in.
The final example is the data protection impact assessment (DPIA). Both schemes require DPOs to be able to determine the need to carry out a DPIA although the French scheme requires additionally only that a DPO can verify implementation and is able to provide advice on the methodology, possible outsourcing, and technical and organisational measures to be adopted. The Spanish scheme requires the DPO to be able to carry out DPIAs. Again, the level of knowledge required, particularly knowledge of the organisation in my experience, will be significantly more developed to comply with the Spanish scheme than the French.
While, as stated above, further work needs to be undertaken on all the required skills and competencies listed in the schemes, from these examples, the French scheme could be graded as level 6 (equivalent to Highers in Scotland or A levels in England) on the SCQF, compared to the Spanish scheme that is likely to be around level 10, possibly higher, which is degree level or equivalent in difficulty. There is then also the question of whether skillsets at either of these levels can be effectively measured using the technique of multiple choice questions proposed by both schemes, which is a topic for another day.
It is always worth highlighting that the Spanish scheme also lists “softer” skills required by a DPO, which will be discussed further in the next blog post.
Coming back to interpreting the legislation for DPOs, are we any further forward with a reasonable approach to take in the absence of any guidance in the UK? My own view is that context is vital and it would be extremely difficult to move forward on the basis of establishing a single competency framework that could be applied across every organisation that would allow every DPO to be “fully qualified” to work in that environment. Is this variation solely down to knowledge of the business and their operations which is recognised by the Article 29 Work Party’s guidance as an important requirement? Personally, I think this is unlikely as compliance is likely to look very different when you begin to compare organisations, whether that is private versus public, by size alone, by processing activities, or by any other factor. Consequently, you need to understand the legislation at a fairly detailed level to understand what options are available for compliance in any given circumstance. While it is unquestionably a factor, this knowledge will not solely depend upon knowledge of an organisation in my view.
Looking at this issue from a slightly different angle, every public sector organisation will require to name a DPO by law. Some public sector bodies are small (some very small) and process very little personal data, and there will be some that only process personal data relating to their own staff. Is it realistic to expect a small organisation that does not provide services to the general public (and therefore has no service user personal data) to retain a person with the same skills and knowledge to deal with all the highly complex parts of the legislation as someone, for example, in a local authority? Is there any benefit to doing this both for the organisation and protecting the rights of data subjects?
At the other end of the spectrum, does it achieve the aims of the legislation if organisations are able to process large volumes of personal data (assuming they are not involved in regular and systematic monitoring, or the processing of special category or criminal convictions or offences) without technically requiring a DPO? The ICO suggests organisations should record their decision making if a DPO is not appointed although it is difficult to see how any organisation, potentially with little collective data protection knowledge, will decide to appoint a role that is likely to incur cost without it being necessary to do so regardless of potential risks. Furthermore, without any detailed guidance on what should be considered, organisations are unlikely to be consistently making an informed decision about the appointment of a DPO.
My view is that there is a lot we could learn from the food hygiene model and if the application of required skills and competencies focussed on risk associated with processing activities it would be a much fairer system and likely to be much more beneficial to protecting the rights and freedoms of data subjects. The GDPR makes a number of references to what should be considered higher risk in relation to personal data, processing activities and data subjects, and therefore it should be plausible to develop an approach that takes this into account.
One possible alternative approach to skills development for DPOs may be to have a very small core set of competencies at a relatively low level on the qualifications frameworks that all DPOs are required to possess and maintain. This could be complemented with learning pathways to develop competencies that are relevant to specific sectors or organisations, which could be based on risk and the nature of processing activities. This is certainly something I am interested in developing further and I would be really interested to hear other people’s views and opinions on whether this would be effective and the practicalities of taking this forward.