The incoming EU General Data Protection Regulation requires many companies to appoint a data protection officer
Could a risk manager take on the role of a data protection officer? FERMA believes risk managers are well-placed to do the job, but other risk professionals are less convinced.
The General Data Protection Regulation (GDPR), coming into force on 25 May 2018, stipulates that a data protection officer (DPO) must be appointed if the company:
- is a public authority
- carries out large scale systematic monitoring of individuals
- carries out large scale processing of special categories of data, which include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
Based on the GDPR’s definition of a DPO, the European risk management association believes this is a job that could be done by risk managers. FERMA’s chief executive Typhaine Beauperin says: “In some companies the risk manager is already a data protection officer, because the DPO has to be someone who is neutral, independent and has direct access to the board. So it is an opportunity for the risk manager to confirm what we have been saying all along, which is that cyber has to be discussed at board level.”
Jo Willaert, FERMA president, adds: “The risk manager is supporting the strategy of the company and the decision makers, but companies don’t always see it this way. The GDPR is very clear: the DPO should be one person, an independent person and a person who is close to the board. Anyhow companies will have to find one function for that and now it is up to us as risk managers to step into the spotlight and say ‘we are here, it’s our job’.”
However, some risk professionals are reluctant to mix the responsibilities of the risk manager with those of other functions.
Sabrina Hartusch, global head of insurance at Triumph, says: “If the risk manager becomes the data protection officer, then undoubtedly questions will arise why the risk manager does also not become the environmental health and safety manager or the building security manager, and so on. There is a sheer endless amount of core and non-core responsibilities the risk manager could take on. The question is whether this is practical and realistic.
“I tend to be in favour of not mixing the function of risk management and data protection management. No doubt, there will be a close alignment and collaboration between the two on how data protection can operationally be achieved. However, they are two different functions, whereby the data protection officer is also in charge of the operational execution.”
Elaine Heyworth, head of risk and insurance at the Royal British Legion, points out that the role of a risk manager is to supervise and facilitate the risk management processes of a business, but that it is not their role to own the risks themselves.
“I think it’s really important that risk managers have an independent voice when it comes to managing risks of a business. If they seem to own those risks, then the people who really do own them, pass the ownership along, to the detriment of risk management,” she says.
“I’m not saying that risk managers couldn’t do the role. Given the work we do across functional areas and business units, we probably have the skillset to manage data protection issues better than most people, but I don’t think the roles should be mashed together. If a risk manager also takes on data protection, then that should be separate to, and removed from, the risk role he or she holds.”