Avoid being avoided : organizational challenges, roles and strategies of data protection officers

(1)

Avoid being avoided:

Organizational challenges, roles and strategies of data protection officers Joost Agterhoek University of Amsterdam

Master’s Thesis Sociology Cultural Sociology

Graduate School of Social Sciences

First and second reader: Olav Velthuis and Alex van Venrooij Department of Sociology

Joost Agterhoek 11259884 27976 words

(2)

(3)

2 Table of contents Summary of research ... 3 Introduction to research ... 6 Theoretical framework ...12 Methodology ...18

Findings: Awareness, a many-headed beast...24

Introduction to the findings ...24

Chapter 1. Awareness as an organizational challenge ...26

1.1 Introduction ...26

1.2 Challenges in social care and multinationals ...26

1.3 A continuous struggle ...27

1.4 ‘Repair work’ and external unawareness ...30

1.5 Chapter conclusions and theoretical analysis ...32

Chapter 2. Why lacking awareness is a problem for DPO’s ...35

2.2 Idealistic or pragmatic? What DPO’s think about the GDPR ...35

2.3 Lion or lamb? What DPO’s think about the Autoriteit Persoonsgegevens ...37

2.4 ‘Shadow administration’: What organizations think about the GDPR ...39

2.4 Unawareness, repair work and DPO’s roles ...40

Chapter 3. Open-ended institutionalization and issues of awareness ...44

3.2 What should a DPO be? ...45

3.3 DPO’s in aware organizations ...47

3.4 What should a DPO do?...48

Chapter 4. Privacy is personal: DPO’s strategies...54

4.2 Awareness ambassadors and fortune cookies: DPO’s awareness strategies ...55

4.3 Making privacy personal...58

4.4 Strategies to ensure implementation and compliance...61

4.5 Strategies to ‘avoid being avoided’ ...62

Conclusion and discussion ...67

Appendix...77

(4)

3 Summary of research

This exploratory qualitative study shows how the roles and strategies of data

protection officers (DPO’s), mandated by the General Data Protection Regulation (GDPR), are institutionalized in an open-ended fashion within and by the organizations where they advise and supervise implementation and compliance. To strengthen privacy rights in a technologically advanced and data-driven world, the GDPR introduces and reinforces

organizational requirements to personal data processing with significant sanctions. To inform and advise organizations about implementation and oversee compliance, the GDPR requires particular organizations to instate DPO’s as internal independent GDPR-experts.

To understand what strategies DPO’s employ to ensure implementation and compliance, 13 DPO’s in various public and private organizations were interviewed and documents used for implementation and compliance were qualitatively analyzed. Data was gathered before the GDPR went into effect on May 25 2018, writing up was done after.

The empirical research was informed by a theoretical framework of (organizational) sociological theory both institutionalist and constructivist. This framework connects the institutionalization of actors tasked with compliance to DPO’s positions, roles and strategies and ties recurring challenges of implementation to issues DPO’s might face, like policy decoupling, (middle)managerial resistance and employees continuing entrenched routines. The framework also included institutionalist insights about organizational norms and beliefs and reputation-related sensitivities of implementation and compliance. Lastly, constructivist theory on social problem construction was linked to DPO’s co-constructing privacy and the GDPR as an organizational problem, thereby trying to ‘set the agenda’ of their organization.

Common themes and salient findings were organized by exploring the organizational challenges that DPO’s face, how these relate to the institutionalization of their positions and roles and finally, how the strategies they employ to overcome these challenges are

institutionalized. The connecting theme that arose is awareness, a multidimensional concept and issue influencing and co-constituting DPO’s challenges, roles and strategies.

Lacking awareness is both an organizational challenge in itself as it is conducive to other hurdles that DPO’s face. To comply with a law, organizations and their surroundings must first know the law. Unawareness also confronted DPO’s with ‘repair work’ of

organizational privacy protection and information security. Organizations were more aware either because of recent reputation damage due to privacy scandals or because of a long-term

(5)

4 pro-active approach to privacy protection. Lacking awareness was nevertheless an ongoing struggle for DPO’s, regardless of privacy-related experience.

Deeper theoretical analysis of decoupling, managerial resistance and entrenched routines showed why DPO’s identify lacking awareness as their main challenge. Theory indicates that regulatory awareness is created and sustained through public attention, costly and publicized lawsuits and auditing. This study shows that organizations are indeed more aware after suffering reputation damage from privacy scandals (public attention) and that less aware organizations need DPO’s to initiate requirements like the records of processing

activities (auditing). Costly and publicized lawsuits were at the time of this research an issue for the future, as the GDPR was not yet effectuated.

Why awareness is lacking in the first place was then further analyzed through a constructivist lens and related to the institutionalization of DPO’s roles and strategies. The organizational challenge of lacking awareness makes privacy protection and the GDPR organizational problems that are still ‘under construction’. How these problems can be understood and dealt with relies in part on DPO’s interpretations of the GDPR, which are co-constructed by the institutionalization of their positions and roles, which in turn is affected by organizational awareness.

Since the GDPR like other organizational regulation contains ambiguous legal norms, implementation and compliance is variously interpreted by organizations and DPO’s. What a DPO is, proved in itself to be ambiguous, as this study shows DPO’s in various organizational capacities, with various professional and educational backgrounds and sometimes conflicting perceptions of what a DPO should be. How these varying DPO’s then interpret

implementation and compliance depends on how their roles and strategies are constructed. This study shows that this open-ended institutionalization of DPO’s is influenced primarily by awareness of privacy protection and the GDPR and its subsequent implementation. DPO’s in less aware organizations fulfil advisory and even supportive roles to implement required organizational and technical measures, where DPO’s in more aware organizations fulfil more advisory and supervisory roles. However, to ‘avoid being avoided’ and remain approachable internal authorities, DPO’s continuously juggle advisory and supervisory roles.

What strategies DPO’s employ to overcome lacking awareness and ensure

implementation and compliance, is of course dominated by the multidimensional concept of awareness. DPO’s strategies to awareness training vary in form and starting point, in

(6)

5 congruence with organizations’ varying levels of awareness. What does not seem to be

institutionalized in an open-ended fashion is that DPO’s approach awareness training top-down and construct privacy protection and the GDPR as organizational problems that must first be personal. DPO’s thus draw upon organizational norms and beliefs for implementation and compliance, but in a particularly individual way.

Based on these conclusions, future research should delve deeper into the

organizational contexts where DPO’s positions and roles are constructed, how these DPO’s interpret and thereby influence implementation and compliance, why lacking awareness is their main challenge and how all this ultimately affects how organizations protect our privacy. Such research could then inform policy for benchmarking if and how DPO’s and their

(7)

6 Introduction to research

How do organizations protect our privacy? And what strategies do data protection officers employ to ensure implementation and compliance to the General Data Protection Regulation within their organizations? Through technological advancements like increasing datafication (the social web, Internet of things, mobile devices) and (big) data analysis, companies and organizations in commercial, governmental and social contexts gather more and more personal data to categorize individuals and inform decision-making (Andrejevic, 2011; Anthony, Campos-Castillo & Horne, 2017; Lyon, 1994/2015; Mai, 2016; Monahan, 2008; Van Dijck, 2014).

These developments offer benefits as well as risks, ranging from more personalized products and services, better healthcare and social interventions, to loss of privacy,

reinforcing inequality through discriminatory social sorting and increasing social and political control. We can think of Snowden’s revelations of mass governmental surveillance via major tech platforms like Google, Apple and Facebook, data brokers profiling poor people as financially vulnerable for commercial purposes and platforms like Facebook managing to manipulate users’ emotions (Madden, Gilman, Levy & Marwick, 2017; Taplin, 2017; Van Dijck, 2014). A recent example of behavior manipulation through personal data analysis is Cambridge Analytica’s political psychometric profiling with Facebook-data (Cadwalladr, 2018). Such pervasive surveillance is argued to be particular to our current modernity, summarized as surveillance society or culture (Lyon, 1994/2015).

To account for technological advancements in data gathering and analysis and to strengthen European privacy rights under one harmonized regulation, the General Data Protection Regulation (GDPR) was approved in 2015 to replace the 1995 Data Protection Directive (Verordening (EU) 2016/679 van het Europees Parlement en de Raad; Voss, 2014 ; Zuiderveen Borgesius, 2016). The GDPR went into effect on May 25 2018 (Regulation (EU) 2016/679 of the European Parliament and of the Council).

As the GDPR elaborates on earlier data protection legislation, organizations have to implement and comply with both existing and new requirements (KPMG, 2018; Regulation (EU) 2016/679 of the European Parliament and of the Council, Voss, 2014). New

requirements include keeping records of processing activities, executing data protection impact assessments (PIA’s) for high risk personal data processing and using data processing agreements to let other organizations process data you are responsible for, all for the sake of

(8)

7 accountability (KPMG, 2017; Regulation (EU) 2016/679 of the European Parliament and of the Council). The GDPR intends to strengthen European privacy with new rights to be

forgotten (all personal data gathered by an organization must be erased) and to data portability (transferring personal data from one organization to the next) and with stricter requirements to the purpose of and consent for data processing (Lomas, 2018; Voss, 2014; Zwenne &

Mommers, 2016). To ensure people can invoke old and new privacy rights and to ensure personal data is protected, organizations are required to take “appropriate technical and organizational measures” (Regulation (EU) 2016/679 of the European Parliament and of the Council, p.15). All these requirements are guided and substantiated by principles of personal data processing like purpose limitation, data minimization, accuracy, integrity and

confidentiality and accountability (Regulation (EU) 2016/679 of the European Parliament and of the Council, pp. 35-36).

While there has been extensive lobbying against the GDPR with organizations like Facebook fighting against the right to be forgotten (also called the right to erasure), these and other rights have ‘made it through’ the political process (Lomas, 2012; Lomas, 2013; Lomas, 2015). The rights are backed up in the GDPR by heavy fines of up to 20 million euro or 4 percent of worldwide revenue (Verordening (EU) 2016/679 van het Europees Parlement en de Raad).

The high fines did not lead to organizations being aware of and least of all compliant with the new personal data processing regulation in the year before its effectuation, as some Dutch and international reports claimed (EY Fraud Investigation & Dispute Services, 2018; Lemsom, 2017; PwC Nederland, 2017; Sophos, 2017; Stuiksma, 2017). It must be noted that some of these alarmist rapports are produced by organizations who themselves offer

assistance for GDPR-compliancy (KPMG, 2018; PwC Nederland, 2017). Nevertheless, as this study was executed before May 25th_{and written up after, the issue of Dutch organizations not} complying with the effectuated privacy law remained (MKB Nederland, 2018; NOS, 2018b). While the regulation is not postponed like some organizations pleaded, businesses were assured that the Dutch supervisory authority, the Autoriteit Persoonsgegevens, will focus on providing information, while still sanctioning organizations clearly violating the rules (PW, 2018; RTL Z, 2018, para. 8).

The Dutch public has expressed worries about their privacy in the past, but were simultaneously not very aware of the Dutch law protecting personal data (Wet bescherming persoonsgegevens) and barely invoked their privacy rights (Janssen, 2017; Verheij, 2016).

(9)

8 Leading up to May 25 2018 however, research from KPMG stated that 82 percent does not know what the GDPR entails, but that 85 percent would want governments and companies to be sanctioned when they are in violation, with 50 percent stating they will make use of their new privacy rights (KPMG, 2018). Whether these privacy rights will actually be invoked remains to be seen, but it can be noted that media and societal attention for the GDPR

increased up until and around May 25th_{(NOS, 2018a; RTL Z, 2018; Van Lonkhuyzen, 2018a;} Van Lonkhuyzen, 2018b). A European crowd-funded privacy initiative has already filed complaints against Google, Instagram, Whatsapp and Facebook because these major organizations may not process personal data as required (Nyob, 2018).

Another new requirement of the GDPR is that certain organizations must have a data protection officer (DPO) to advise and supervise implementation and compliance (Autoriteit Persoonsgegevens, n.d.; Verordening (EU) 2016/679 van het Europees Parlement en de Raad). DPO’s are required for three types of organizations: government organizations, organizations processing personal data on a large scale as a core activity (like hospitals, market researchers, insurance agencies or search engines) and organizations processing sensitive or ‘special’ data (criminal past, health, ethnicity and so on) (Autoriteit

Persoonsgegevens, n.d.; Verordening (EU) 2016/679 van het Europees Parlement en de Raad).

DPO’s can be understood as ‘the organizational face of the GDPR’: independent, (continuously) trained GDPR-experts who inform and advise management and employees about the GDPR-requirements and supervise implementation and compliance, who may have access to personal data processing practices when needed for supervision, and who maintain unobstructed contact and cooperation with the supervisory authority (Schermer, Hagenauw & Falot, 2018, pp. 55-56; Verordening (EU) 2016/679 van het Europees Parlement en de Raad). The DPO cannot be fired or otherwise penalized for these tasks and must not have

“conflicting interests” (Schermer, Hagenauw & Falot, 2018, p. 57) with other organizational roles or tasks. It must also be noted that DPO’s are not themselves responsible for

implementation and compliance, as they do not make final decisions about how personal data is processed (Schermer, Hagenauw & Falot, p. 57).

Now that the origins and intentions of the GDPR are laid out, we move on to its implementation. From an organizational sociological perspective, what challenges may arise in the implementation and compliance of the privacy protection law and how does this relate to DPO’s? As the GDPR and adjacent guidelines and instructions indicate, DPO’s should be

(10)

9 independent enough to avoid interpersonal or occupational risk in the implementation process (Dimaggio & Powell, 1983; Schermer, Hagenauw & Falot, 2018; Verordening (EU) 2016/679 van het Europees Parlement en de Raad). Interpersonal or occupational risks and power imbalances are, however, not the only hurdles organizational sociologists have identified that hamper implementation of new laws and policies. To give an oversight of other recurring obstacles in organizations: formal compliance to but decoupling of policies from actual work practice, resistance to new practices by middle management because of conflicted interests and employees continuing regular work routines (Dimaggio & Powell, 1983; Dobbin, Schrage & Kalev, 2009; Edelman, 1992; Kellogg, 1976; Meyer & Rowan, 1977; Oliver, 1991; Silbey, 1984).

Counterpointing such resistance to regulations are organizations that favor change when “legal objectives are clear, sanctions for noncompliance are strong and beliefs and norms support compliance as the right and proper thing to do” (Kellogg, 1976, p. 651). Relating this normative dimension to the GDPR, reputational reasons to be compliant are mentioned in sector studies, varying from 30 percent of organizations fearing permanent reputation damage from data breaches to Dutch citizens who are more likely to share personal data with reputable organizations (KPMG, 2018; Verdonck, Klooster & Associates, 2017). Commercial organizations are sensitive to such reputational damage because they may lose customers, as the chairman of the Autoriteit Persoonsgegevens also argued (BNR, 2017).

In their particular organizational role and position, DPO’s may try to overcome aforementioned hurdles and stimulate normative sensitivities to ensure implementation and compliance. Taking one step back, a DPO’s role in an organization and strategy for

compliance is itself also a process (and result of) institutionalization. The role of

organizational actors tasked with compliance, according to institutionalist theory, is socially constructed by how these actors interpret the law, their intra-organizational (and sometimes conflicting) responsibilities and how these actors and strategies are perceived (Edelman, Petterson, Chambliss & Erlanger, 1991). The organizational sociological question then arises how DPO’s roles and strategies are formed, how they go about ensuring compliance in their organization and what challenges they experience in the process.

To summarize the central problem to this study, the following research question is used: What strategies do DPO’s employ to ensure implementation and compliance of the GDPR within their organizations? Answers are sought through the following sub questions:

(11)

10 How is the role of DPO’s in organizations and their strategy for implementation and compliance institutionalized?

What organizational challenges do DPO’s experience in the process of implementation and compliance and how do they respond to these challenges?

If and how do DPO’s draw upon or influence organizational norms and beliefs concerning personal data processing and privacy rights to ensure implementation and compliance?

Studying these issues serves both a societal and sociological purpose. As stated before, the GDPR intends to strengthen privacy rights in a surveillance society where these rights are said to be increasingly undermined in economic, social and political contexts (Giroux, 2015; Madden et al., 2017; Van Dijck, 2014). The GDPR may then be nothing but essential upkeep of our privacy rights and ideally should be ‘completely’ implemented and complied with by organizations. Whether the implementation and compliance actually strengthens European privacy rights however, may in part rely on the strategies of DPO’s. As such, exploring the institutionalization of DPO’s roles and strategies and identifying what organizational

challenges they face, can offer a tentative evaluation of both the GDPR and of DPO’s. Given that the GDPR is needed to reinforce ‘our’ privacy in a surveillance society where collection and analysis of personal data may more and more affect ‘our’ lives, this study can contribute to the larger evaluative question whether the GDPR ‘does its job’. And as the DPO’s play a role in the implementation and compliance of the GDPR, it is important to know if and how these actors tasked with compliance can in turn ‘do their job’.

A better understanding of the strategies DPO’s employ to ensure organizational implementation and compliance may also benefit the organizational sociological field. For example, the literature about actors tasked with compliance used in this study focuses on employees or managers, not on explicitly independent actors like DPO’s. More knowledge about such actors’ strategies and organizational hurdles they may face can then broaden existing theoretical insights. In a broader academic context, this research can add a specific dimension to sociological theory about privacy. Anthony, Campos-Castillo and Horne (2017) argued in The Annual Review of Sociology that this theory focuses more on individual

privacy than on the macro-impacts of changing privacy on society. While this study still has a micro-approach, focusing on the DPO’s experience and actions, it informs the macro-issue of

(12)

11 strengthening privacy rights under the GDPR and as such, may add to this lacuna of

sociological macro-research about privacy.

To conclude, the structure of this thesis is laid out. First, the theoretical framework shows how organizational challenges that DPO’s might face and the institutionalization of their positions, roles and strategies can be sociologically understood. Then, the methodology of data gathering and analysis is explored and assessed. After this, the relevant findings are presented and connected to the theoretical framework in the course of four chapters. Finally, conclusions are drawn about the strategies DPO’s employ to ensure implementation and compliance, which may tell us more about organizational responses to and compliance with privacy protecting regulations like the GDPR.

(13)

12 Theoretical framework

This theoretical framework operationalizes concepts like strategies, role

institutionalization, organizational hurdles and normative sensitivities as well as social problem construction in relation to the GDPR and DPO’s. First, relevant concepts regarding the organizational requirements in the GDPR are defined. Then, recurring organizational challenges of regulatory implementation are identified and connected to challenges that DPO’s might face. Third, to know how DPO’s might overcome these and other challenges, the sensitizing concept of strategies is operationalized. Fourth, we operationalize how DPO’s positions, roles and strategies are institutionalized. Fifth and finally, constructivist theory on social problem construction is fitted in an ‘organizational mold’ to operationalize how DPO’s may co-construct privacy protection and the GDPR as organizational problems.

As the GDPR contains many requirements on personal data processing and privacy rights for organizations to implement and comply with, studying how this regulation is implemented requires setting some boundaries. This study focuses on what legal academics and parties like the Autoriteit Persoonsgegevens indicate as new requirements of the GDPR, like the records of processing activities (registering how, why and what personal data is processed by the organization), the right to be forgotten or erased (deleting personal data from the

organizations’ systems, as well as requesting other organizations to do this) and the right to data portability (receiving an accessible and machine readable copy of personal data

processed by an organization) (Algemene Verordening Gegevensbescherming, Schermer, Hagenauw & Falot, 2018).

To understand the strategies DPO’s employ to ensure implementation of and compliance with these GDPR-requirements, it is necessary to sensitize this study to recurring

organizational hurdles of implementation and compliance. Reasons for this are both theoretical and empirical: organizational sociological studies emphasize the importance of hurdles like the aforementioned decoupling of policies from work practice, the opposing and self-serving middle managers and change-resistant employees, as shown in the next

paragraphs. Besides their theoretical importance, similar hurdles also arose in earlier internship research about organizations implementing the GDPR.

Regulatory pressure to change organizational processes and practices, as the GDPR intends to change personal data processing in relation to privacy rights, can fail when

(14)

13 organizations decouple or loosely couple new policies from existing work routines. Formal rules or guidelines are changed to indicate compliance, but management and employees do not actually change their practices as stated (Dobbin, Schrage & Kalev, 2009; Kellogg, 1976; Meyer & Rowan, 1977). There are various reasons for this decoupling. The intended change may conflict with efficient organizational practice or employees and managers may simply continue “entrenched routines at odds with those innovations” (Dobbin, Schrage & Kalev, 2009, p. 3; Meyer & Rowan, 1977). Decoupling or loose coupling can then be identified in this study when DPO’s experience their organization instating new policies or guidelines that signal compliance to the GDPR-requirements, while actual data processing practices remain unchanged, for reasons related to efficiency or routine.

The challenge of managerial resistance due to conflicted interests points to ‘middle managers’ who are responsible for various work processes between top management and work floor employees and resist intended change because their own interests are somehow at stake (Edelman, 1992; Kellogg, 1976). Intended change may conflict with or be added to the existing workload of managers and thereby ignored or even “actively discouraged” (Kellogg, 1976, p. 652) when their personal interests are not in line with those of higher management (Edelman, 1990; Kalev, Dobbin & Kelly, 2006; Meyer & Rowan, 1977). Managerial resistance due to conflicted interests can then be identified in this study when DPO’s experience middle managers resisting changes in their work processes or employees’ work processes that they manage (relating to personal data processing) for reasons as: other organizational demands getting higher priority or GDPR-requirements conflicting with work processes or personal interests.

The third recurring hurdle that hampers organizational change is when employees persist in existing practices. Reasons for this are varied: people tend to resist changing habits and routines in general, interpret and react to change “according to cognitive scripts, moral beliefs, and material self-interest” (Kellogg, 1976, p. 652) and ‘in-company’ norms, which are not always in line with formal regulatory requirements (Edelman, 1992; Edmondson, 2002; Kellogg, 1976). This hurdle of entrenched routines can be identified in this study when DPO’s experience employees sticking to habitual or routinized processing of personal data that should change to comply with the GDPR. Reasons for this may be a general resistance to changing these work habits, personal (be it moral, rational or self-interested) considerations for resisting change or fearing personal or occupational risks.

(15)

14 As stated before, the strategies DPO’s employ to ensure implementation and

compliance may be related to recurring organizational hurdles hampering change. Therefore it is useful to sensitize the concept ‘strategies’ to theory on ways to overcome some of these challenges.

In the case of decoupling, one identified problem-solving strategy is replacing written rules like guidelines with “substantive innovations” (Dobbin, Schrage & Kalev, 2009, p. 4) that actively change work processes in such a way to produce the desired results, specified for particular groups of employees. In the case of the GDPR and the DPO, such substantive innovations would mean that the DPO is involved in the implementation of new or altered work processes relating to personal data processing, specific to particular organizational levels or teams.

In the case of (middle) managerial resistance and employees in entrenched routines, organizational sociological theory does not identify direct solutions but instead points to more desirable alternative situations, related to two ways of learning. As Edmondson (2002)

summarizes, “researchers have long drawn a distinction between two types of

learning-exploitation and exploration (March 1991), first- and second-order learning (Lant and Mezias 1992), single- and double-loop learning (Argyris 1982), and Learning I and Learning II (Bateson 1972)” (Edmondson, 2002, p. 13). Key difference between the learning types is that the first focuses on trial-and-error gradual change of current work processes and the second opens up perspectives on entirely new processes (Edmondson, 2002, p.130). The second type of learning requires employees to share critical perspectives without fear of repercussions, meaning in the case of this study that DPO’s try to overcome managerial resistance or employees continuing existing habits by somehow creating a safe space for second-order or double-loop learning (Edmondson, 2002).

As these organizational hurdles hampering change and their possible theoretical solutions may not prove to be exhaustive for the strategies DPO’s employ, strategies and organizational challenges remain relatively open concepts. Since DPO’s may run into very different organizational challenges or no challenges at all, and react to both situations in specific ways, the concept ‘strategies’ must cover any practice or approach DPO’s use within their organizations and at various levels and teams to have them implement and comply with the GDPR’s requirements.

(16)

15 What strategies DPO’s employ to ensure implementation and compliance also depends on how DPO’s and their strategies are institutionalized. Edelman et al. (1991) argue that organizational responses to regulation like decoupling and subsequent (non)compliance are not homogeneous, because actors tasked with compliance have different roles, work in different social and political contexts in organizations and therefore interpret ambiguous legal norms in various ways. The institutionalization of such actors’ roles and strategies works as a funnel for compliance, they argue. Regulations often do not provide organizations with clear-cut criteria or norms for compliance, leaving room for interpretation (Edelman et al., 1991). Such ambiguous laws ‘enter’ organizations and are interpreted in a specific way by the actors tasked with its compliance. The organizational role and strategy of these actors for

implementation and compliance is socially and politically constructed in the organization, producing particular types of compliance (Edelman et al., 1991).

Several factors influencing the institutionalization of actors tasked with compliance, in this case the social and political construction of DPO’s roles and strategies, are theoretically identified. Organizations and actors tasked with compliance (in this case DPO’s) can have conflicting perceptions of what implementation and compliance should look like and who ultimately holds responsibility (Edelman et al., 1991). What’s more, there can also be discussion about whether actors tasked with compliance should help with (advise) or enforce (supervise) implementation and compliance (Edelman et al., 1991). When such perceptions contradict each other, this can lead to political tensions that can negatively affect the

organizational positions of actors tasked with compliance or make it harder for them to ensure implementation and compliance (Edelman et al., 1991). To avoid this, actors like DPO’s select and switch between different helping and enforcing roles.

These social and political contexts in organizations then influence what roles DPO’s fulfil and what strategies they employ for implementation, ultimately contributing to various forms of organizational compliance. The institutionalization of DPO’s roles and strategies can then be operationalized as a process of how they came to be in their position, how they feel their role and strategy is or has been constructed and how they themselves interpret the GDPR.

Connected to the institutionalization of DPO’s roles and strategies is institutionalist theory on organizational normative sensitivity to regulations. Organizations are said to have a dual rational and normative nature which both affect their response to regulation.

(17)

16 ‘surrounding’ regulations, i.e. their normative intentions in society. This corresponds with the institutional or cultural ‘school’ of organizational sociology which emphasizes the importance of institutional i.e. normative dimensions of regulations for organizational change (Edelman 1990/1992; Edelman & Suchman, 1997; Scott, 2004). Regulations are then not just only frameworks defining organizations’ rational considerations of costs and benefits, but also have normative weight to which organizations are sensitive: the materialist versus cultural debate (Edelman & Suchmann, 1997, p. 493), or, as Scott (2004) argues, the “dualist nature of organizations” (Scott, 2004, p. 8). Operationalizing this in relation to the strategies of DPO’s, this would indicate DPO’s either using or influencing organizational norms and beliefs

concerning privacy rights and personal data processing to ensure implementation and compliance of the GDPR.

Finally, it is important here to include theoretical insights on the organizational definition or construction of problems. As explained, DPO’s can be perceived as relatively new

organizational actors and because of this, we need to understand how their roles and strategies are institutionalized in the organizations they work for. Following this institutionalist

theoretical approach, this study may also benefit from constructivist theory on the social construction or definition of problems, in this case privacy protection and the GDPR. After all, the GDPR itself can also be perceived as relatively unique legislation (harmonizing national laws, significant fines, far-reaching new requirements). The GDPR and more in general, privacy protection, may thus be relatively new organizational issues or topics, and it is therefore useful to unpack how these issues or topics are socially constructed.

A second reason for including such constructivist theory, adapted to an organizational form in the upcoming paragraph, is that this study (in part) follows a constructivist

sociological approach to understand the strategies of DPO’s. In the Weberian constructivist sense, Verstehen is the goal here: to perceive the GDPR through the eyes of the DPO, their roles and strategies, and how these in turn are perceived and co-constructed by others within organizations (Bryman, 2011; Edelman et al., 1991). Following this, the institutionalization of DPO’s roles and their strategies is a process of social construction. Studying social

constructions by analyzing perceptions and interpretations corresponds with the constructivist ontological dimension of and approach to sociology (Bryman, 2011). It may therefore be useful to deepen the institutionalist and constructivist analysis of how DPO’s roles and strategies are institutionalized by analyzing how DPO’s construct the GDPR as an organizational problem.

(18)

17 Relevant constructivist insights on the construction of social problems are summarized here and mapped onto the organizational dimension. Social problems are not simply

reflections of objective harmful situations or phenomena in society, but are social constructs (Hilgartner & Bosk, 1988). Social problems can then be understood in a processual way, with specific actors co-constructing how a problem can be understood and dealt with, where it comes from (causal responsibility) and who should fix it (political responsibility) (Best, 2015; Gusfield, 1984; Hilgartner & Bosk, 1988). Placing this within the confines of organizations and informing it with the concepts of this theoretical framework, the social actors who co-construct public problems in this study may be DPO’s, managers i.e. directors (the

organizational top), middle- management (think of managerial resistance) and employees (think of employees in entrenched routines).

This co-construction of organizational problems by specific actors mirrors the organizational sociological study of agenda setting, where specific actors work to define particular issues as problems for the organization of which management must be made aware to push decision making (Dutton & Ashford, 1993; Mintzberg, Raisinghani & Theoret, 1976). By ‘keeping an eye’ on whether and how DPO’s and other organizational actors co-construct organizational problems and try to get the GDPR and privacy protection on the agenda, perhaps the strategies and challenges of DPO’s can be more thoroughly analyzed.

To conclude, this theoretical framework offers an institutionalist and constructivist approach to respectively analyze DPO’s positions, roles and strategies as well as how they and other organizational actors may co-construct privacy protection and the GDPR as

organizational problems. To identify challenges DPO’s might face in their strategies to ensure implementation and compliance, the theoretical framework identifies recurring organizational hurdles of implementation and compliance, namely decoupling, (middle) managerial

resistance and employees in entrenched routines. With these concepts in hand, we have a theoretical foundation to survey the empirical findings. But before doing this, the

(19)

18 Methodology

Since this research focuses on the experience, perception and agency of data protection officers, it follows a qualitative methodology for data collection and analysis. As Bryman (2012) argues, one of the characteristics of qualitative research is an epistemologically interpretivist and ontologically constructivist approach to respectively research and the social world. An epistemologically interpretivist stance corresponds with the focus in this research on the experience, perception and agency of DPO’s, or in other words, studying social phenomena through the eyes of social actors (Bryman, 2012). This epistemological research strategy indicates an ontological constructivist worldview. Studying subjective perceptions and experiences to better understand the social world presupposes that this social world is in fact a social construct made up of both objective actors and actions as their subjective

experiences and perceptions (Bryman, 2012).

Another reason to do qualitative research is that this study has an exploratory nature. DPO’s organizational independence does not seem to be a common factor in in organizational sociological theory about regulatory implementation and the GDPR, as stated in the

theoretical framework, may also be unique. Qualitative research can explore such relatively new social contexts and issues to offer fresh insights that quantitative research can then test and generalize (Bryman, 2012).

Qualitative data collection was done through semi-structured interviews with 13 DPO’s and by gathering materials DPO’s used in their organizations to ensure implementation and compliance. Respondents were asked before, during and after the interview to supply

materials and documents like presentations, workshop materials and internal communications. Ultimately after repeated requests, 8 out of 13 respondents provided such materials, varying in size, length, form and purpose (other documents for example were organizational privacy policies and implementation methodologies or action plans).

Initially, these documents would be used to triangulate and verify interview findings about the strategies DPO’s employ. Such triangulation can strengthen the credibility of qualitative research, as Guba and Lincoln (1994) argue. But because not all respondents provided such materials and, more particularly, because the gathered materials were very different in form, size and purpose, systematic triangulation would add little. Using such strongly varying documents to triangulate findings in the interviews would essentially result in incomparable

(20)

19 triangulation per interviewee, resulting in very diffuse and messy conclusions. Ultimately, the materials were qualitatively coded and analyzed like the interviews to provide relevant

examples and context to the interviews.

The choice for semi-structured interviews was made because of this study’s explorative and interpretivist nature. Questions in the semi-structured questionnaire (added as Appendix) regarding DPO’s strategies, roles and hurdles were based on the operationalized theoretical framework. Concepts were described as matter-of-fact as possible, for example by leaving out the concept of institutionalization and simply asking about professional and educationa l backgrounds, positions and roles in the organization.

Sampling respondents for such qualitative and exploratory research provided several challenges. First, what is a sufficient sample size? Methodological discussion about

qualitative sample sizes is inconclusive: some argue for samples of minimally 30 respondents, others emphasize a balance between informational and theoretical depth or saturation and pragmatical limitations to data analysis (Bryman, 2012). Exhaustive justification of the selected sample size is then left as the best solution (Bryman, 2012). In the case of this study, justification on a theoretical basis may prove difficult. Both the DPO and the GDPR are relatively unique and seemingly unstudied in organizational sociological research. Justification of a sample size must then be based on pragmatic considerations. Given the initially planned data collection period of a month and a half and previous internship

experience in contacting and interviewing DPO’s, a sample size of 10 seemed both attainable and theoretically sufficient. The document sample size of course depended on the respondent sample size. After the initial data collection period, insights from the interviews and materials proved so varied that 3 more respondents were contacted and interviewed, specifically

working in (health)care organizations (one DPO of two hospitals, one DPO of three healthcare and welfare organizations and one DPO of one healthcare and welfare organization). To explain this, first the sample characteristics must be described.

Sampling in this study was done with two qualitative sampling approaches: purposive criterion sampling (purposively selecting DPO’s that work in the three types of organizations where DPO’s are required) and purposive snowball sampling (selecting and contacting DPO’s through existing contacts in the field) (Bryman, 2012). Purposive sampling was done using the Dutch registry of DPO’s maintained by the Autoriteit Persoonsgegevens, which provided names and organizations. Simultaneously, purposive snowball sampling was done by

(21)

20 posting messages on an online public-private network organization for information security and privacy protection. Of all 13 respondents, 6 were contacted through purposive snowball sampling and 7 through purposive criterion sampling.

As stated, data from the initial 10 respondents proved so diverse that additional respondents in specifically healthcare organizations were interviewed to better identify and analyze commonalities. This begs the question why this sample was constructed: why not seek out DPO’s working in only public or private organizations, or even more specifically, only healthcare organizations for example? The summary of this study shows that the strong diversity of DPO’s roles and perceptions is partly because of the very different organizations respondents work in. The reasons for this sample variety are both academic and pragmatic. Sampling respondents from all three types of organizations where DPO’s are required would offer as much breadth as possible. The idea was that this is what exploratory research should be: broad instead of narrow, offering all kinds of starting points for further generalizing and hypothesizing research. But in practice, sampling respondents of one organizational type (organizations processing personal data on a large scale as part of their core activities) proved impossible as DPO’s said they were either too busy with the GDPR or did not respond at all. Data from the other initial 10 respondents, as explained, was very diverse. The final sample of 13 respondents was thus constructed from an academic starting point but along the way modified for pragmatic reasons to ultimately draw conclusions with theoretical merit and to avoid empiric randomness.

In the course of doing interviews and gathering materials, the main issues and

concepts of this study became clear (awareness and institutionalization) and other topics and questions in the questionnaire were discussed less (what DPO’s and organizations think of specific GDPR-principles and if and how DPO’s draw upon organizational norms and beliefs in the organization regarding privacy protection). This narrowing focus can be expected in any academic research: to draw conclusions is to construct an argument and to construct an argument, some darlings must be killed. How this selection affected the findings is explained in the conclusion.

The interviews were transcribed verbatim and subsequently coded, after which the materials were similarly coded. Coding was done in an iterative analytical process, rereading transcripts and coding segments relevant to the research question and sub questions with the coding software ATLAS.ti. Through open coding, informed by the theoretical framework, these segments were selected and identified (Boeije, 2005). Examples of these were “DPO

(22)

21 role in org” pertaining to DPO’s role institutionalization and “Handling GDPR: awareness” referring to strategies that DPO’s employ for raising GDPR-awareness. As this study is exploratory and some of its common themes were relatively surprising - awareness ended up as a central concept but did not play a large role in the theoretical framework - theoretically informed open codes provided firm footing to place these surprising findings.

The next steps in coding, following the typology of Strauss and Corbin, were axial coding and finally selective coding (Boeije, 2005; p. 85; Bryman, 2012). Open, axial and selective coding here converged quickly. As open coding was strongly informed by the theoretical framework, open codes were already clearly related to each other: “Org challenge GDPR: connected other org” and “Org challenge GDPR: lack awareness” both clearly refer to organizational challenges DPO’s experienced. As such, the relatively organized open codes were easily clustered into 7 main code groups, thereby finishing axial coding. Selective coding then describes the main concepts of the study based on these axial codes and selects and connects these concepts to construct a coherent argument that may answer the research question (Boeije, 2005, p. 109). This was done by once more rereading the selected data under the 7 main code groups, identifying the main themes of awareness and institutionalization and how these relate to the research question and the sub questions to ultimately reach a

conclusion.

Before moving onto the findings, the limitations of the selected methodology must be mentioned and critically questioned. First, some considerations on this study’s sample and data are shared, after which the limitations of qualitative research are explored more systematically using existing criteria.

Regarding this study’s sample, having only DPO’s as respondents of course offers a rather singular view of social issues and environments. No other organizational actors were asked about challenges or perceptions relating to the GDPR, due to pragmatic reasons of time and capacity. Second, studying and describing social worlds through the eyes of respondents, in this case via interviews, comes with particular pros and cons. In social science, studies based on interviews “routinely conflate selfreports with behavior and assume a consistency between attitudes and action” (Jerolmack & Khan, 2014, p. 178). This wrong assumption is called the attitudinal fallacy: “the fact that what people say is often a poor predictor of what they do”(Jerolmack & Khan, 2014, p. 178). For this study, this would mean that DPO’s might not handle organizational challenges as they say they do. This is mostly avoided here, because DPO’s strategies in general consist of concrete, objective actions and activities like

(23)

22 workshops and presentations. What’s more, for 8 out of 13 respondents, the gathered

materials offer some verification of DPO’s perhaps fallible strategical descriptions. Nevertheless, this limitation of mainly interview-based research must be considered.

Moving on to the limitations of this qualitative study, these may best be explored through Guba and Lincoln’s (1994) four criteria of trustworthiness for qualitative, constructivist research (Bryman, 2012). These criteria represent specific qualitative and constructivist equivalents of quantitative and positivist criteria: “credibility (paralleling internal validity), transferability (paralleling external validity), dependability (paralleling reliability) and confirmability (paralleling objectivity)” (Guba & Lincoln, 1994, p. 114). Credibility here refers to credible representations of how respondents, in this case DPO’s, construct their social world, which can be strived for via respondent validation and

triangulation (Bryman, 2012). Transferability in qualitative, constructivist research can be strived for through thick description of respondents’ social contexts and dependability can be assured through auditing, whereby peer researches audit and review both the study and the data (Bryman, 2012). Finally, confirmability is a criteria concerning unbiased research (Bryman, 2012). We now asses this study with the use of these four criteria.

First, credibility was attempted through triangulation and ultimately practiced through respondent validation. Gathering and qualitatively analyzing materials that DPO’s used to ensure implementation and compliance was initially meant for triangulation. But because only 8 out of 13 respondents provided such materials and these materials varied strongly in size, form and purpose, they were ultimately used to elaborate on the DPO’s strategies instead of triangulating what DPO’s discussed concerning their strategies. To ensure credibility as much as possible, respondents were asked to validate their representations in the findings. When finalizing this study, 3 respondents had reacted and validated their representation, only adding minor factual suggestions. This offers some (of course limited) credibility to the findings.

Second comes transferability, assessed here through thick description that clearly describes specific social contexts. While this was strived for by leaving ample space for quotes of respondents that might directly represent their own perceptions of organizational social contexts, this study might have benefitted from a thicker description of the

organizations the respondents work in. As the social and political contexts, along with organizational types and privacy protection experiences, were ultimately crucial elements of DPO’s institutionalization, more detailed descriptions of these contexts could have deepened the analysis. Future research could build on this by closer studying the organizations that

(24)

23 DPO’s work in: what is their make-up, hierarchy, culture, what organizations surround them, what organizational actors have which particular roles?

Third, dependability, which may prove to be the hardest criteria to reach for. As Bryman (2012) explains, auditing of qualitative research is somewhat of a rarity, simply because qualitative studies yield large data sets that are hard to sift through, which can even be argued for the 13 interviews and 23 documents used in this study. Dependability then is related here to credibility and approached by respondent validation and critical assessment of the data interpretation and analysis by this study’s counselor and first reader.

Confirmability is then the last of the four criteria of proper qualitative, constructivist research. Does this study reflect an unbiased approach to privacy protection, the GDPR and DPO’s? The researchers’ personal and professional interest in privacy protection, personal data processing and the GDPR only affected the selection of these topics for study, not the selection of theory, method, respondent or manner of reporting. It must be said that previous experience with qualitative interviews both academic and journalistic may have influenced the constructivist, qualitative approach of this study. At the same time, the relatively unique position and roles of DPO’s and the particularity of the GDPR would also point to an exploratory and therefore qualitative research. This therefore substantiates selecting qualitative interviews and document analysis for this study.

(25)

24 Findings: Awareness, a many-headed beast

Introduction to the findings

To analyze the data from the interviews and materials, some structure is needed. As the findings in the following chapters will show, awareness of the GDPR is the common empirical and theoretical thread. Awareness is a multidimensional concept, relating to the organizational challenges DPO’s experience in the process of implementation and

compliance, their open-ended and relatively poor organizational institutionalization and the strategies they employ to overcome these issues. These dimensions will be discussed one by one through identifying commonalities and salient differences or particularities in the data. As findings from the DPO’s materials are mostly about the strategies they employ, these will largely be discussed in chapter 4 concerning strategies. The respondents are given

pseudonyms as explained in Table 1. Where relevant, additional context concerning the DPO’s organizations or backgrounds will be provided.

(26)

25 Table 1

Pseudonyms for respondents and description of their organizations

Pseudonym respondent Description of respondents’ organization Adriaan Acting DPO of governmental financial/administrative

organization

Bas DPO of healthcare and welfare organization

Cees (and Dirk) Interim DPO of large municipality (and program manager of GDPR implementation)

Eelco DPO of healthcare and welfare network (same as Harry) Floris DPO of governmental agricultural organization

Gabrielle DPO of marketing research organization

Harry DPO of healthcare and welfare network (same as Eelco)

Jan DPO of governmental water company

Karlijn DPO of middle-sized municipality

Lennart DPO of multiple private and public organizations

Michael DPO of two hospitals

Niek DPO of three healthcare and welfare organizations Olivier DPO of healthcare and welfare organization

Note. Respondents Eelco and Harry work for the same healthcare and welfare network, but

are active as DPO in different healthcare and welfare organizations tied to this network. Respondent Cees was interviewed together with the program manager of the GDPR implementation, referred to here as respondent Dirk.

Several respondents (Harry, Lennart, Niek) also work for organizations not mentioned here. Where discussed, this will be mentioned in the findings.

(27)

26 Chapter 1. Awareness as an organizational challenge

1.1 Introduction

This chapter describes the organizational challenges DPO’s experience in their work. If this study aims to understand DPO’s strategies to ensure implementation and compliance to the GDPR, first we need to know what they are up against. As this chapter will show, there are several challenges that DPO’s experience in the process of implementation and

compliance: the GDPR is viewed as threatening proper work practice by welfare

professionals, its implementation is conflictingly interpreted within the same multinational organization and top managers are enticed by the lure of (big) data analysis which may not comply with the privacy protection regulation. The most recurring and pressing organizational challenge DPO’s experience however, is not decoupling, managerial resistance or entrenched routines. It is lacking awareness.

Because of lacking organizational awareness of the GDPR and privacy protection, DPO’s have to deal with hurdles like ‘repair work’ of information security and privacy protection, external risks of non-compliance and (financial) difficulties in getting the GDPR ‘on the map’. How and to what degree this lack of awareness hampers implementation varies per organization type, size and state of privacy protection and information security, as this chapter will show. The organizational lack of awareness of the GDPR is also reported in recent sector surveys and journalistic articles, as shown in the introduction of this study. These reports will be discussed in connection to the findings here.

1.2 Challenges in social care and multinationals

Before the recurring challenge of lacking awareness is discussed, other organizational challenges are identified. First, the issue of the GDPR threatening proper work practice. At least three respondents mention specific employees or departments who feel that the new privacy protection requirements makes their work harder or even impossible. This was especially the case for social workers. Dirk’s large municipality works with “multifunctional teams who are less focused on one problem in a family (…) but [on] all problems. (….). In those kinds of specific situations you of course want to share a lot of data. (….) And they really view the GDPR as a threat like (…) this task will only get harder.” Dirk explicates that not only data breaches, but also being unable to share data in social work can lead to privacy incidents which can then harm the municipality’s reputation. “A practical example (…) is a family [whose] father (…) is part of a biker club and who is also armed, dangerous and aggressive. And that family needs help (…) so then a neighborhood team comes along. But

(28)

27 then it is pretty handy if that team knows that there is a man (…) that may be aggressive. So they want to share that information. Well, they cannot just do that. (….) But you also don’t want to end up in the papers that you either didn’t get into the house or that a caretaker was shot while you had that information.” Karlijn primarily receives questions from her

municipalities’ social domain-department about data sharing, GDPR-compliancy and the “integral care approach” of collaborating social workers. Niek points to the GDPR-principles of subsidiarity and proportionality to solve such data-sharing issues: “If the goal is to save a life of a child in a problem family, then the necessity [to use data] is many times higher than when (…) someone in the family (…) doesn’t sleep well or something.” Perceiving the GDPR as threatening to work practices can then be related to particular organizational types

(municipalities) and purposes (social work). Social work teams decoupling the GDPR’s privacy requirements from work practices or social workers continuing entrenched routines of data sharing are not the case here. Or better said, not yet.

A very particular and ‘multinational-specific’ organizational challenge was noted by Gabrielle. Her marketing research company is part of an international organization and the mother company wanted the Dutch branch to ask research participants for renewed consent. For Dutch market research companies however, it is common to work with terms and conditions, not consent. “So there was a whole discussion where global says, yeah, but you (…) have to have consent. (…) Where we say (…) but in the Netherlands (…) nobody does that. (….) If we follow global then we have to have a consent form now (….) with the risk of people thinking, huh, what is this? Well, [this is too much for me], I’m out. So that’s a risk for your panel.”

These very specific implementation challenges that DPO’s experience (the GDPR threatening proper social work and conflicts of implementation within one multinational) of course would need further study, but appear to be directly related to particular organizational types (multinational and municipality) and purposes i.e. functions (social work and market research). Interesting here is then how DPO’s of similar organizations handle such specific challenges, which will be discussed in chapter 4 about DPO’s strategies. Here, we move on to the most common organizational challenge DPO’s experience: lacking awareness.

1.3 A continuous struggle

Lacking awareness of privacy protection and the GDPR, as stated in subchapter 1.1, is a many-headed beast. As for the challenges DPO’s experience, lacking awareness pops up inside and outside organizations and rears its heads in both technical and organizational structures i.e. systems for privacy protection and information security. A majority of DPO’s

(29)

28 (at least eight respondents) indicates that creating and maintaining awareness is an ongoing struggle, almost no matter where they are in the implementation process. The governmental financial and administrative organization where Adriaan is acting DPO started an

implementation project for the GDPR in 2016 and has been “protecting personal data on a more serious basis” since 2000. Adriaan estimates the awareness in his governmental financial and administrative organization to be around 80 percent, but emphasizes that “you have to put constant effort into it to stay at that 80 percent (…), awareness goes down just as it came up”. In the recent past, lacking awareness made it hard for privacy officers to get an overview whether the governmental organization compliantly processed personal data: “The privacy officers need input from the business department like, what do you do? What kind of personal data do you process? And what security measures have been taken? And did you hire anyone to do it, a consultant, and is there a processing agreement? (…) It took quite some effort to make those managers on the lower levels realize, dude, it’s not our responsibility, yóu have to get to work!” This awareness issue of responsibility for compliance, which will be explicated further in chapter 3 concerning DPO’s institutionalization, is caused by short-term thinking according to Adriaan: “Such a manager [is concerned with] issues of today (…) that provide short term results (…) yeah that’s for May 2018 they thought, that doesn’t give me anything now and that was also (…) primarily because the awareness wasn’t there.”

Regarding awareness in different (hierarchical) levels of organizations, Niek experienced such deliberate evasion of compliance that he ultimately quit certain

organizations before working with his current employers: “They want to do all sorts of things, they don’t want to do it in accordance with legislation and regulations. (….) Like the Japanese say, a fish rots [from the head down]. If you have that kind of attitude at the top, take it from me that the layer below is even worse and that the work floor is one big mess.”

Lacking awareness of the GDPR has also been the experience of Cees, until a major privacy incident a little over a year ago made his municipality painfully aware of these issues. “In the beginning it was quite hard to get this on the map (…), you are just in a period of major cutbacks (…) and if you then start yelling, gosh, every cluster should have a privacy officer, and we have to focus on (…) a topic that is not very sexy and that doesn’t directly deliver something right? (…) Well eventually (…) there was understanding, and (…) then came a major data breach and an investigation (…). Then it (…) became pretty topical”. Documents about a privacy awareness campaign in the municipality also mention that “management and employees are (…) as of yet inadequately aware of the risks associated