A dilemma that you are a part of can be confusing. You may not even realise that a decision that you must take is presenting for you a personal/professional dilemma. As a data protection officer, this becomes very evident, and problematic requiring skills beyond what is considered normal, i.e. legal, security, etc.
The most profound privacy dilemma is that in any democratic society, it is a human right to have freedom of speech, as is it a human right to a private life. On a more personal level, we want a right to privacy for ourselves per se, but for others, we want to know what our family, friends, acquaintances, are up to!
Then there is the human right to feel safe, which can be provided with the installation of cameras, alarms, etc., in shops, petrol stations, metros, and even in our homes. But this conflicts with our human right for a private life!
Dilemmas come in many forms even in our daily life, especially as parents. I remember when I was offered a job at Cern in Geneva in 1996, at the time I was living in UK, a single parent with a 16 year old son. I was not immediately in a dilemma, I gave him the choice to join me in France, go to a French school, learn French, skiing every weekend, etc., a wonderful life ….which he refused. Funnily enough, looking back now, my immediate dilemma was not to respect my son’s wishes and then find a way so that he could stay and I could go, my dilemma was what others would say about me as a mother. Maybe I had to refuse the job offer?
If we return to the role of the data protection officer. Often the DPO will advise on what is the best course of action when standing in the shoes of the data subject, then it is up to the business to make a decision. If this decision conflicts with advice from the DPO. This is a business dilemma, e.g. lack of transparency concerning a personal data breach (not yet confirmed) versus doing what is right as per GDPR.
If the DPO role as defined in the GDPR Articles 37-39 is respected by the business, then as long as the DPO is experienced and aware of the dilemma and potential conflict with the business, a way forward can be found. It is another skillset required for a DPO not mentioned in the GDPR, or even in any book I’ve read so far, and that is the ability to mediate between the business and meet data subject rights. To able to see the trees for the wood, to see there is a dilemma, to see that it is not personal, it is life.
Just in case you are interested in the outcome of my dilemma as a mother. A year following the decision my son told me when visiting me in France, that it was in fact the best parenting decision I had made to leave him in UK. He was freed from my mothering…which he’d had enough of. So as unlikely was this outcome, it was indeed the right decision for us both.