TL;DR A recent survey highlights the ethical dilemmas that arise from being an in-house lawyer. Robert Baugh, our lawyer-founder, believes these same dilemmas are being felt, and will continue to be felt, by Data Protection Officers (DPOs) given key similarities in their roles.
I’ll confess first – I was General Counsel of VC-backed SaaS companies for over 13 years. Do I recognise some of the findings in this report? Absolutely. Do I think the same ethical dilemmas apply to DPOs? Absolutely. Here’s why.
Let’s set out the stall for in-house lawyers. In England & Wales, in-house lawyers are regulated by the Solicitors Regulation Authority, whose 7 Principles (from November 2019) state that you must act:
In case you think #7 lets you compromise the other Principles, when you face a conflict the SRA states you must follow the Principle ‘which best serves the public interest in the particular circumstances, especially the public interest in the proper administration of justice’.
Now to this October 2019 survey by LOD in collaboration with 2 Professors. Some key findings were:
Only 12% were ‘Champions’ with ‘significantly higher perceptual and reflective moral attentiveness than the other groups and were also experiencing the greatest ethical pressure. They also had the lowest moral disengagement.
Having been a General Counsel for over 13 years, I can recognise this, and that the tension can come from a well-meaning place. I can also attest that the strength of compliance in the organisation’s culture makes a huge difference to the above figures.
Now onto DPOs. Art 38 of the GDPR states that the controller or processor shall ensure that the DPO ‘does not receive any instructions regarding the exercise of [their] tasks’, that they’ll not dismiss or penalise the DPO’for performing his tasks’, and while the DPO can carry out other tasks, they’ll ensure that ‘any such tasks and duties do not result in a conflict of interests’.
Art 39 of the GDPR sets out those tasks, including:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data
(d) to cooperate with the supervisory authority
There are clear similarities: an internal adviser looking to advise the person paying their wages, to act without conflict, and bearing obligations to a supervisory authority separate to their employer.
Case study: what’s a DPO to do when their employer decides something is low risk when the DPO believes it is clearly high or very high risk? What if that happens not once (perhaps a bona fide disagreement) but frequently, and a clear pattern of behaviour appears?
I’ve long thought that in-house lawyers are vulnerable to being put in a difficult situation as, if things go wrong, there’s a strong impetus for fingers to point at the Legal and Compliance team(s), who usually hold advisory power except in certain clear situations, not the Sales or other commercial teams who usually hold the decision-making power. Again, the strength of compliance in the organisational culture will make a huge difference to whether in-house advisors feel that ethical or professional dilemma in the first place, the strength of their voice in the decision, and the organisation’s reaction to any incident.
It seems to me that DPOs are now in a similar boat and will be facing similar ethical dilemmas. Qualitatively, DPOs currently seem to me to be ‘Champions’. It will be interesting to see if they become ‘Coasters’ after a few years of facing these dilemmas.
Our experience is that, after the last 18 months working on spreadsheets to manage GDPR, many organisations are now looking for SaaS to bring its many benefits to ongoing GDPR…
22 – yes 22 – lists of when a data protection impact assessment, or ‘DPIA’, is and isn’t required have been reviewed by the European Data Protection Board (the ‘Board’). The…