DPOs (data protection officers) play a crucial role in an organisation’s information security and data privacy practices.
Certain organisations must appoint a DPO to comply with the GDPR (General Data Protection Regulation), while others will benefit from independent expertise regardless of their regulatory obligations.
The GDPR provides several options on who can fulfil the DPO’s tasks and responsibilities. Its only stipulations are that candidates must have a strong understanding of data protection laws and anyone who takes on the role cannot have a conflict of interest.
But what is considered a ‘conflict of interest’ under the GDPR, and how can you prevent one occurring? We explain everything you need to know in this blog.
What does the GDPR say about conflicts of interest?
A DPO’s purpose is to provide organisations with guidance on how to use personal data in line with the GDPR’s requirements.
Their ability to act independently is essential, because most decision-makers within an organisation will be biased. These decision-makers will have organisational objectives – whether in productivity, financial returns or another metric – and it will be almost impossible for them not to favour data processing practices that support those goals.
But doing so increases the risk of data protection requirements being overlooked, which could in turn result in a data breach or privacy violation.
By having a DPO to oversee data processing practices, organisations mitigate this risk. That’s not to say that the DPO can’t also take on another role within the organisation. Article 38 of the GDPR, which outlines the requirements for appointing a DPO, states that a DPO “may fulfil other duties”.
However, Article 38 adds that when an employee also takes on the DPO role, the organisation “shall ensure that any such tasks and duties do not result in a conflict of interests”.
A conflict doesn’t automatically arise when a DPO takes on other roles, nor must a DPO focus only on your organisation’s best interests. DPOs can work for several different organisations on a part-time basis.
Rather, a conflict of interest arises in one specific circumstance: when the DPO performs tasks that influence the way their employer uses personal data. This will only be a problem if:
- The DPO takes on the role alongside their existing job role; and
- In that job they have the power to make decisions about data processing activities.
Job roles that constitute a conflict of interest
The Article 29 Working Party, the EU advisory board on data protection compliance, published guidelines on appointing a DPO. It noted that, although some job roles were likely to create a conflict of interest, it is not always clear-cut.
This is because organisations will handle personal data in different ways depending on their structure. As such, they should review the possibility of a conflict of interest on a case-by-case basis.
Nonetheless, the guidelines include a list of job roles that will typically create a conflict of interest:
- Senior management positions
- Chief executive
- Chief operating officer
- Chief financial officer
- Chief medical officer
- Head of marketing
- Head of human resources
- Head of the IT department
What can organisations do to avoid a conflict of interest?
The GDPR gives organisations a number of options for appointing a DPO, so it’s always possible to avoid a conflict of interest.
The simplest solution is to hire an external DPO. This can be a full-time employee who is brought in as a dedicated DPO or a data protection consultant.
If you would rather appoint someone internally, there are steps you can take to ensure a conflict of interests doesn’t arise. First, you should identify positions within the organisation where decisions are made regarding data processing activities.
Once you have ruled out incompatible job roles, you should assess your remaining employees and determine who is best suited to be a DPO.
If you can identify a qualified candidate who is willing to take on the role, your next task is to draw up internal rules to ensure that the employee acts independently and without instruction from their employer.
Those rules must include safeguards to prevent a conflict of interest arising should the DPO take extended leave. One key requirement is to identify another employee who can complete core functions on a temporary basis.
The organisation must also ensure that the DPO receives the budget and other resources to complete their tasks.
Appoint a truly independent DPO
Although it’s possible to appoint a DPO internally, organisations will struggle to find a qualified employee whose role isn’t in conflict with the DPO’s functions.
Unfortunately, hiring an external candidate on a full-time basis is no more practical. Data protection experts are hard to find, with a far greater demand than supply.
For many organisations, the best option is to hire a third-party consultant. Doing so is an ideal middle ground, as you will gain independent expertise at an affordable price while avoiding a conflict of interests.
If you want to know more about how the process works, GRCI Law can help. Our DPO as a service package provides you with the expert support you need to meet your GDPR compliance requirements.
One of our team of data protection practitioners will be assigned to your organisation and will fulfil the necessary tasks to ensure that you remain GDPR compliant.