This dissertation adopts an exploratory empirical research method in order to address a subject that has recently gained considerable media and corporate attention. The urgent focus on the issue in relation to the principles of data protection in corporate governance and the business world results from the fact that although the General Data Protection Regulation (GDPR) affects virtually all companies and requires them to employ a data protection officer (DPO), in fact, the reality does not reflect this. Of the almost 27 million companies in the European Union required by law to enforce GDPR regulation, most have never heard of their requirement to employ a DPO in full compliance with the legislation, even though full observance of GDPR became mandatory as of 25 May 2018.
The current research analyses the role of the DPO and explores its potential to impact on the business world. The research assesses the transformational effect the GDPR paradigm has had on the system of corporate responsibility of the businesses that must observe it. In particular the competencies and responsibility bestowed on the DPO when effectively it gave the role the power to take responsibility for and actively influence the direction of a company’s strategic decision-making. In order to identify the gaps, the research commences with an examination of the nature of this transformational paradigm, focusing on its origin, development and finally its execution. The analysis then focuses on the selection, appointment and profile of the DPO and additionally gains insight into the role, actions taken, and structural implementation of the DPO role within organizations. Examination of the relationship of the DPO with other stakeholders and its relationship with the board produced pertinent data, allowing the researcher to come to a number of conclusions as to the impact of GDPR, the DPO’s role, and the role’s relevance to corporate governance.
This qualitative research, using semi-structured interviews, selected interviewees according to the criteria adopted, with focus on organizational reputation and the importance of personal data-handling. The DPOs were selected from multinational listed companies operating in data-driven sectors (e.g. banking, telecommunications, pharmaceuticals and retail) because, as these organizations deal with massively sensitive data as an indispensable part of their core business, the DPOs within them play a pivotal role in terms of influence.
What emerged from the research is that the involvement of the DPO differs: sometimes the DPO is central to the development of GDPR compliance and sometimes the role is there just to ensure compliance and provide training. The research suggests that the DPO does has real influence at board level; however, the hypothesis is also that the DPO can directly intervene in the decision-making processes of organizations, either in the development or in the execution of GDPR, as a direct result of their involvement in the implementation of the strategy.
Finally, even though GDPR is a very recent paradigm, which means there are no guidelines or case laws to refer to, this does not diminish corporate responsibility to comply. However, as businesses often rely upon instinct and community, and base practice on trial and error, the consequences – both positive and negative – are yet to manifest
