Data protection officers: what division should they sit in?

I recently read an online article titled Rise of the data protection officer (DPO). In it the author quoted the Gartner analyst, Carsten Casper who said, “A DPO mostly reports to information technology (IT), or information security (IS), and sometimes to risk management – not legal. These are typical reporting lines for the DPO”. As a specialist legal compliance and governance recruitment consultant, whose remit covers data protection, I was somewhat perplexed. Had I been hired into the wrong team? Should I be sitting in risk or even technology? I decided to investigate the author’s statement in an attempt to disprove it and solidify my position amongst my legal teammates.
I began my investigation by delving into the database of candidates that PageGroup has built up over nearly 40 years. I wanted to see what background a typical DPO had and which recruitment teams the candidates belonged to. What I found was eye-opening. An overwhelming two thirds of candidates had privacy or data protection in their CV and were ‘filed’ within the legal database. The rest were within the technology or risk database. Of the thoroughbred privacy candidates (by this I mean working solely in DPO roles) found on the legal database, around 50% were solicitors, 30% had a legal background i.e. LPC and the final 20% had an audit or compliance background, typically within banking.

What DPO candidates say

Having spoken to a number of DPO candidates, the general consensus was that DPOs could not sit in IT or IS because these divisions were far too operational. Fundamentally, people working in IT or IS are doers and are too close to the data flow process to be able to differentiate between reasonable operating risks and risks that could land the company with a hefty fine from the regulators. On the other hand, you may have a head of legal highlighting DP regulatory risk where there is none, taking a far too cautious approach that results in a DP policy that is too slow to react to sudden regulatory changes or operating risks, leaving the company open to IS breaches or loss of potential revenue.

The DPO function

Bridging the gap between IT and legal departments is no mean feat. Successful DPOs need a strong understanding of the law and the regulations they are governed by. They need to be technologically savvy and understand the systems that protect and process the data but also have a strong business sense in order to create and role out training programs and investigate potential breaches. This is summed up by Casper who states that “while a legal background is desirable, it would be better to select a business-minded person who understands marketing, HR, application development, and how business ideas get implemented in IT.”
I would argue that one can be both legally trained and business-savvy and that the reason a lawyer moves in-house is to get closer to the business and have more commercial input. Wouldn’t it be better to have a legally qualified DPO than one who has no legal experience or qualifications?
For more information on legal compliance and governance roles, or to begin your job search, contact Miles Gillhespy at Michael Page Legal now.
T: +44 20 7269 2310