Data Protection Trends and the Rise of the DPO

The debacle in the recent years involving Facebook: first the Facebook-Cambridge Analytica data scandal in 2016, then the outcry against Facebook-owned messaging app WhatsApp in 2021 (even when WhatsApp was being forthright in its Privacy notification) demonstrates that privacy is something that consumers are very sensitive of. In fact, the reaction justifies the data protection laws that are now being implemented in various jurisdictions across the world.

The Foundation of the Trend: Information

As far back as when printing was invented, privacy and data protection became a concern when information (and information about an identifiable person) could potentially be widely circulated. The free flow of information (especially in the rise of advertising in the late 19th century) eventually brought about the conflict “rights” between the individual and the wider establishments (e.g. organisation, government or community).

The situation came to head when personal information was used in the discrimination and the methodological persecution of a race of people – the Jewish holocaust in World War II. This was because the personal data of the citizens were accessed by the occupying force (i.e. the Nazis).

These are the major cultural and historical factors in our reluctance to giving excessive personal data to organisations (including government). As such, legislations have been set up post war to safeguard privacy and legislations against misuse of personal data.

The Rise of Information Age

The post war development of technology expedited the Information Age. The business model for revenues and profits provided organisations the impetus to develop and leverage on technology to harvest the benefit of information: from audio visual, personal data, metadata and so forth.  In the Information Age, - data enables the organisation to be more efficient in the way it operates, produces, communicates (market) and organises itself.

The last couple of decades has seen the internet connect the world and within a few years, individuals and organisations transitioned from desktop to handheld mobile devices.

Computing power and data usage have exponentially increased, and devices have inversely shrunk, making the internet ubiquitous.

The Internet Age enables individuals to work, transact and learn almost anytime, anywhere (including our private space) as long as there is a connection. The converse is also true: that the organisation can reach into the individuals’ space anytime, anywhere.

With the data collected, many online functions/transactions could be automated, where decisions can be delegated to machines through Artificial Intelligence: we are now entering the Age of the Machine. In the interest of convenience to consumers and doing business more efficiently, it is natural for organisations to use the data for predictive analysis and the next step: process automation for transactions. With such advancement, many organisations need to depend on third parties for specialised services.

The Rise of the Machine (Learning)

It is inevitable that organisations integrate the two: Business Operation Process with the use of data to enable business operation processes to be automated. Some consumers/ individuals are uncomfortable about using their personal data that enables impersonal transactions to take place. In fact, under the GDPR Article 22, it specifies that individuals have the right not to be subjected to “Automated individual decision-making, including profiling”.

As business processes get automated and evolve, we are moving into the field of Artificial Intelligence. There is a need to balance technological capability with public expectations, including ethics as the technology and the field develop over time.

The Risks

In addition to the cultural inclination for privacy and lessons learnt in World War II, the Information Age has brought about another danger: digital impersonation. Personally identifiable information (PII) or personal data can be misused for impersonation for online transactions and other fraudulent purposes. The risk is not just what the organisation face in its digitisation, but such risks are also present in the use of third-party services.

Despite these, the use of personal data to enable transactions has also benefited the individuals/ consumers in many ways, in terms of enabling them (to make informed choices) and facilitating convenience.

The need for Data Protection Laws

To safeguard the interest of the individual (due to the concern about privacy mentioned), legislations had to play a “catch-up” game to provide guidance to the organisations. This requires a balancing of the rights of the individuals (rooted in human rights), consumer rights, business and economic requirements and ethics.

The Rise of the DPO

Many of the jurisdictions put in place legislations to ensure that organisations demonstrate responsibility and accountability in the collection, use, disclosure and storage of personal data. As part of the legislation, many require organisations to appoint a Data Protection Officer (DPO).

The GDPR for instance, requires the controller (organisation)/processor (intermediary) to designate a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. In the Information Age, this covers most business operations in the EU.

Similarly, jurisdictions in South-East Asia require organisations to designate at least one data protection officer (DPO) to oversee data protection responsibilities and ensure compliance with the data protection law and be the liaison point with stakeholders: i.e. individuals or regulators.

The development has given rise to the importance of the role of the Data Protection Officer. The DPO has to juggle the fields of business/consumer ethics, law, business operation, governance, compliance and risk management.  This is a tall order but necessary in view of the risks organisations are exposed to today.

The link between Data Protection and GRC

The risk of data breach is quite significant: according to the DPEXNetwork DPO survey, 22% of DPOs reported their organisations experienced a breach within a period of 3 years. The question is not “if” a data breach happens but “when” a breach happens, which leads to the question: is the organisation adequately prepared to respond? With increased enforcement and sharpening of legislations, it is obvious that data protection is an important part of the governance, risk and compliance management programme of an organisation.

Getting Upskilled

Read more about development in data protection trends and how it is linked to GRC.  There is also a course that enables participant to understand the trends in digitisation and demand for DPO.  This can be followed with training and certifications available to equip the DPO in the area of data protection and GRC (Governance, Risk and Compliance management).

Article by: Leong Wai Chong, CIPM, GRCP

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.