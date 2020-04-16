The OneTrust DataGuidance ‘Thought Leaders in Privacy’ interview series is filmed across the world with leading privacy professionals discussing their advice for staying ahead of the curve and how privacy connects on a wider level with businesses and society. The series captures ideas from a range of subjects including; GDPR and CCPA requirements, data security and breach notification, risk & compliance and emerging technologies.

We met with Ashley Winton, Partner at McDermott Will & Emery in March 2020. Ashley has a focus on global data protection and privacy, information governance and cybersecurity compliance. He has particularly in-depth knowledge of cyber breach response, cybersecurity in the context of payment systems, the lawful interception of data, and the conflict of laws in relation to corporate and government investigations and international litigation.

Ashley discusses how perceptions have changed regarding the role of the data protection officer as well as looking at what should the role of the data protection officer be during data protection-related litigation.

Perceptions of the data protection officer

The 18 months since the GDPR came into effect have had a great impact on how organizations view the role of the data protection officer. As Ashley explains, there was initial alarm around the obligation to appoint a data protection officer under the requirements of the GDPR.

“Fortunately, in the intervening year or so [since the application of the GDPR], the sky has not fallen in and people’s compliance programs have by-and-large worked well. I think we are finding more interesting problems in our organizations generally,” says Ashley.

With a shift in focus from achieving a level of compliance to maintaining it, Ashley says there is value in reassessing the roles and responsibilities of the data protection officer and potentially filling the post with someone who possesses an alternative skillset.

Data protection litigation

The characteristics of a data protection officer are generally understood to be, among other things, independence from company instructions with respect to confidentially over the information they produce, whistleblower protection, assurance that there is no conflict of interest in their role, and facilitation of communications with regulators.

Ashley explains, “With all that in mind […] who do they represent? It doesn’t sound to me that they represent their employer and it doesn’t sound to me that they represent the regulators – they are not a private police force. So, I think their interests lay in serving the data subject.”

This poses a number of questions when litigation arises. In particular, Ashley notes that lawyers are keen to ascertain which side you are on when litigation commences, and with independence from both the organisation and the regulator, tit may be at odds that a data protection officer is in the heart of such action, if they are considered a representative of the data subject.

