"I had the impression, I think the text even mentioned it, that the DPOs would work for an external body and have the various organisations as their “clients” and come in to review and recommend even as they were deeply aware of the performance of the organisation."

Articles 37(2) and 37(6) *permit* the DPO to be someone external, but the Regulation and the A29WP guidance certainly don't suggest that is the only, or even the preferred, approach.

Realistically speaking, data controllers and processors are not going to voluntarily submit themselves to some sort of ongoing external audit. If the DPO is outsourced it will be on a normal service contract, with all that that entails and implies.

Jon Baines, 
Chair,
nadpo.co.uk 

On 18 Jan 2017, at 19:09, Lawrence Serewicz <[log in to unmask]> wrote:

 

Dear All,

I am coming to this late. Having read the A29 Working Group paper, I had the distinct impression that they saw them operating like external consultants or auditors. I had the impression, I think the text even mentioned it, that the DPOs would work for an external body and have the various organisations as their “clients” and come in to review and recommend even as they were deeply aware of the performance of the organisation.

 

In this way, like external auditors, who are often co-located within the organisation, they provide an internal knowledge yet have an independence.

 

I think that this is going to develop in time. Why? A DPO sitting inside will face way too much internal cultural and organisational pressure to be co-opted to the organisation’s view or the desire to get along.

 

My fear is that the DPO can be easily co-opted in the way that Arthur Anderson was co-opted by ENRON. Why jeopardize fees, hefty ones at that, if the DPO is willing to sign off on what the Org wants? Bright lines will exist to be sure, yet over time people get habituated. Who wants to seriously rock the boat and tell their CX, for the 10th time that this or that system is not right and more work needs to be done.

 

Soon you will be asked, what is the minimum? Do we really have to do it this far? I read that another council does it this way. Alternatively, you may be asked to be understanding of what the organisation does after all the *really important stuff* takes precedence over the GDPR in any case as we *know* what is SPD after all.

 

In time, you run out of the strength to tell the organisation to do X. At the same time, the organisation gets tired of being told it needs to do X. Soon both sides want to do just enough to get by as it is takes a lot of effort to sustain an independent, criticising role and working within or for an organisation.  Human nature being what it is powerful people want to hear good news and people want to give good news.

 

We shall see. I think handling SARs will be the least of the concerns.

 

Best,

 

Lawrence

 

 

Lawrence Serewicz

Information and Records Manager

Transformation and Partnerships

Durham County Council

County Hall

Room 143-148 4th Floor

Durham

County Durham

DH1 5UF

 

Direct 03000 268 038

Switchboard 03000 26 0000

 

www.durham.gov.uk

Follow us on Twitter @durhamcouncil

Like us at facebook.com/durhamcouncil

Follow us on linkedin.com/company/durham-county-council

 




Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)