In light of recent regulator action regarding Data Protection Officer (DPO) independence, this article considers the ethical and practical considerations surrounding the appointment of a DPO.
The fines and regulatory risk
On April 28, 2020, the Belgian Data Protection Authority (DPA) issued a €50,000 fine to an organization for appointing the head of compliance, audit and risk management as DPO. The Belgian DPA argued that combining these two roles creates a conflict of interest and violates Article 38(6) of the GDPR.
This decision is in line with earlier holdings where the Belgian DPA stated that DPOs cannot delete the personal information of a data subject themselves. All decisions regarding the data processing must be taken by the data controller with the advice of the DPO. The DPO’s role is to inform, advise, monitor compliance, and act as the contact for the supervisory authorities as well as for data subjects. The controller, on the other hand, makes the decisions on data processing, including data deletion.
Duties of a Data Protection Officer
These two decisions highlight important aspects of the GDPR and its requirement of an independent DPO. A DPO is expected to be an expert in all relevant regulations and be available to act as a point of contact between the organization and regulator. The DPO is also responsible for tracking compliance within an organization, collecting information on processing activities, ensuring that data processing satisfies GDPR requirements, and advising the controller and processor on these matters.
This extensive list of duties and responsibilities is only made possible when the DPO has the full collaboration of a wide range of departments and individuals within an organization, such as the head of IT, audit, compliance, and legal among others.
The Data Protection Officer also advises the controller when a data protection impact assessment (DPIA) is necessary. Once a DPIA has been carried out, the DPO examines whether it is satisfactory and, based on the findings, advises on how to proceed. When significant risks have been identified with a processing activity, the DPO should advise on whether additional safeguards can be put in place.
The DPO also serves as an intersection point between the organization, the data subjects, and supervisory authorities. The supervisory authority would be able to access information through the DPO to fulfill their investigative, advisory, and corrective role.
Moreover, organizations need to conduct data protection and privacy training to remain compliant. The DPO should be involved in advising and training employees and relevant stakeholders on GDPR compliance.
The independence of the Data Protection Officer
Given DPO’s critical role, they must be independent. The controller or processor should view the DPO as an advisor and therefore refrain from directing them on how to fulfill their duties or sway them to reach a certain conclusion on a given regulatory matter. The DPO should also report to the highest level of management, ideally the board of directors. This is important because it allows the management to receive timely feedback on compliance and data protection within the organization.
The DPO role involves detailed dynamics with the various stakeholders. It is for this reason that they need to be autonomous and avoid conflict of interest.
Practical steps forward
The high degree of competence and ethical standards associated with the role of the DPO may create difficulties in finding the right person for some organizations. In deciding the latest case on the conflict of interest in acting as a DPO and head of compliance, risk and audit, the Belgian DPA concluded that the organization had acted with a “significant degree of negligence” in combining these roles.
The decision raises questions on future DPO appointments. Does this decision mean that combining the DPO role with the head of a department is an automatic conflict because that person is involved in the decision making?
In the meantime, some practical steps companies can take to ensure compliance include:
- Consider if your company has a mandatory duty to appoint a DPO
- Review the level of risk of data processing and determine if further resources are required to support an internal resource, or if outsourcing to a qualified and experienced DPO is a better business decision
- Consider whether the current DPO has any potential or existing conflicts of interests
- Document the company’s strategy and decision making in choosing a DPO and get senior individuals to sign off on the decision.
It is important to note that while empowering the Data Protection Officer is paramount in demonstrating high ethical standards, organizations are ultimately responsible for signing off on decisions. However, it is reassuring to know when your DPO is not bound to a particular interest, their advice is more likely to be objective and robust. This reduces the risk of monetary penalties, builds trust and enhances an organization’s brand. This is a win-win for all concerned.