A Belgian organisation was recently fined €50,000 (about £44,300) by the country’s DPA (Data Protection Authority) for violating the GDPR’s (General Data Protection Regulation) requirements concerning the appointment of a DPO (data protection officer).
The person who filled the position was also the organisation’s director of the internal audit, risk management and compliance departments, which the DPA said constituted a conflict of interest.
So what exactly was the problem, and how can organisations avoid falling into the same trap?
The organisation’s problem relates to Article 38 of the GDPR, which relates to the appointment of the DPO and potential conflicts of interest if they are completing these tasks alongside another role.
If a member of staff is balancing their existing tasks with those of the DPO, the organisation must be sure that there are no conflicts of interest and to create a policy that ensures this remains the case.
Despite the Belgian organisation arguing that, as the director of internal audit, risk management and compliance, the employee was only acting in an advisory capacity, the DPA found that it wasn’t possible to be advisory in respect to its own activities without it interfering with their responsibilities as a DPO.
As John Potts, GRCI Law’s head of DPO, DSAR and breach support, notes, the concept of conflict of interest doesn’t just relate to one of the more commonly cited problems, which is that the DPO could receive direct instruction from their employee.
Rather, because the employee was making decisions about personal data processing, “it’s a question of not marking your own homework, rather than receiving instruction from the employer”.
Was this the right decision?
Since this announcement, there has been some speculation about whether Belgium’s data protection authority was correct in its assessment.
This is of course for the courts to decide should the company wish to appeal, but the controversy stems from guidance issued by the European Data protection Board (then the Article 29 Working Party) on certain positions that would be considered pose a conflict of interest, which didn’t include the head of audit, risk and compliance.
“The previous list only included positions that would be responsible for significant quantities of data processing in respect of large categories of data subjects (e.g. all customers and prospects; all applicants, employees, alumni; everyone; all data subjects whose data is processed using information systems),” Potts said.
“This new ruling says that much smaller amounts of influence over ‘purposes and means’ also amount to a conflict.”
For the time being, this leaves many organisations in an uncertain position about whether their DPO poses a conflict of interest and whether they are at risk of being fined.
German university hospital in legal wrangle over unlawful DPO dismissal
In related news, a German university hospital recently came under fire for dismissing its DPO.
The qualified attorney had been employed for 11 years on a full-time basis, and was appointed to the DPO role alongside his existing position as the organisation prepared for the GDPR to take effect.
The hospital cited various examples of poor performance to justify their decision to dismiss him, including failure to implement the GDPR, failure to comply with the GDPR’s requirements, unwillingness to meet the role’s obligations, breach of contractual obligations and criminal law infringements.
Under German law, due to the official and independent nature of the DPO function, decisions related to the dismissal of a DPO are required to be considered by the German Work Council Provisions office.
As a result, the case involved a lengthy series of discussions and Work Council meetings in which the validity of the removal of the DPO was challenged.
The main argument by the plaintiff was that the DPO’s employment had been revoked but not the official DPO position for the organisation or its subsidiaries.
The court found that the DPO had neither violated nor neglected his duties and ruled in favour of the DPO.
This is another case of the complexities that can arise when a DPO is a full-time employee, but what other choice to organisations have?
Who can be a DPO?
There are no formal requirements for who can become a DPO. The position doesn’t need to be filled by a lawyer or qualified data protection practitioner.
The only requirement is that they have strong knowledge of data protection law – ideally encompassing both technical expertise gained from qualifications and practical experience.
This should include the ability to carry out a risk assessment of proposed processing and the other tasks of the DPO, including engaging with regulators, the board and other stakeholders.
This is clearly a big challenge, but the GDPR makes it slightly easier by allowing organisations to appoint an existing employee or a third party.
Likewise, if you don’t have the resources to hire someone dedicated to the DPO’s tasks, there are alternatives.
For example, organisations are permitted to share DPOs, meaning the same person can work for multiple companies.
This is a much more affordable option than hiring a dedicated employee, although it means the DPO won’t always be available – which could be a problem if you suffer a security incident and need urgent advice.
Another option is a remote DPO – someone who works remotely and is available on an ad hoc basis.
The benefits of a remote DPO
A remote DPO can complete all the tasks that an in-house one would, and at considerably less expense – given that you don’t need to recruit or train a dedicated employee.
It’s the perfect option for organisations looking for someone to take on the DPO’s responsibilities remotely and that don’t want to worry about potential conflicts of interest.
You can find out more by taking a look at our DPO as a service.
With this service, one of our data protection experts will be assigned to your organisation and will work with you to understand your compliance requirements.
You will also be allocated a second, equally qualified and experienced expert, who will step in when your DPO is on annual leave or off sick. This ensures you always get the help you need and aren’t left in the lurch during a crisis.
Because we specialise in data protection and information security, our team has sector-specific knowledge and experience, and visibility of the latest trends, best practice, developments and challenges.