How to ensure you appoint an independent DPO

In light of recent regulator action regarding data protection officer independence, it's an important moment to consider the ethical and practical considerations surrounding the appointment of a DPO.

A sporting analogy is helpful here: The essential question to consider is can one player be a coach and a referee? Arguably not. A referee (or DPO) must be in a position to freely advise on the rules of the game, monitor compliance and, ultimately, give a red card without fear of reprisals from owners, shareholders, managers or the players themselves. Increasingly, the position and independence of a DPO is a barometer of an organization’s ethical standards.

Fines and regulatory risk

On April 28, the Belgian Data Protection Authority issued a 50,000 euro fine to an organization for appointing the head of compliance, audit and risk management as DPO. The Belgian DPA argued that these two combined roles created a conflict of interest and violated Article 38(6) of the EU General Data Protection Regulation.

This decision is in line with earlier holdings where the Belgian DPA stated that DPOs may not themselves delete personal information of a data subject. All decisions regarding the data processing must be taken by the data controller with the advice of the DPO. In other words, the DPO’s role is to inform and advise, monitor compliance, and act as the contact for the supervisory authorities, as well as for data subjects. The data controller, on the other hand, makes the decisions on data processing, including data deletion.

If the DPO makes strategic decisions for the organization or if they hold an operational role, they may be involved in decision making about processing activities. What then are the ethical and pragmatic considerations of choosing a DPO? It is important to consider the types of processing the organization carries out, the levels of risk to individuals and the extent to which the DPO can carry out their duties without risk of making decisions as a controller or processor.

The day-to-day of a DPO

This decision by the DPA highlights important aspects of the GDPR and its intrinsic requirement for an independent DPO. The DPO is expected to have a high level of expertise, as well as be available to act as a point of contact between the organization, the authorities and data subjects. The DPO is also responsible for tracking compliance within an organization, collecting information on processing activities, ensuring that data processing satisfies GDPR requirements, and advising the controller and processor on these matters. In other words, the DPO role requires the full cooperation of multiple departments and stakeholders within an organization.

Given the DPO’s central role in maturing a data protection program, the DPO is able to keep records regarding the organization’s data protection program and compliance. Additionally, the DPO should have adequate access to information necessary to help the organization create data inventories or registers with details on data processing operations in various business functions. Oversight on these records is not only necessary to adhere to the accountability principle, it also allows the DPO to better fulfill their role.

Another core duty of any DPO is to advise the controller when a data protection impact assessment is necessary, what methods to use in carrying it out, and whether additional resources are needed. Once a DPIA has been carried out, the DPO examines whether it is satisfactory and, based on the findings, advises on how to proceed. When significant risks have been identified with a processing activity, the DPO should advise on whether additional safeguards can be put in place to make the processing compliant or if that particular process should be abandoned.

Supervisory authorities should be able to access information via the DPO to fulfill their investigative, advisory and corrective role. It is important to note that while the DPO has a duty of confidentiality and secrecy, this does not preclude them from consulting with the supervisory authorities as needed. The concept of “secrecy” is not well defined in the GDPR, although other data protection laws, such as the German Federal Data Protection Act, binds the DPO to secrecy regarding a data subject’s identity and the circumstances enabling data subjects to be identified.

The DPO is also the contact point for the data subjects in exercising their rights, which means they should be easily accessible via phone, mail or email. Moreover, organizations need to conduct data protection and privacy training to be and remain compliant. The DPO should be involved in advising and training employees and relevant stakeholders on GDPR compliance.

Independence as a core value

Given the DPO’s critical role, they must be independent. The controller or processor should view the DPO as an advisor and refrain from directing them on how to fulfill their duties. The DPO should report to the highest level of management, ideally the board of directors. This is particularly important because it allows the management team to receive timely feedback on compliance and data protection within the organization.

The DPO role involves intricate dynamics with various stakeholders, often navigating conflicts of interest. Such dilemmas may be more pronounced when an organization has an internal DPO. There should always be a clear line between serving as an organization’s DPO and acting as a decision-maker for the controller. In a sense, the DPO is an extension of the supervisory authority, thus creating the need for a high degree of integrity and ethics in fulfilling this role.

Given the need for objective independence, the GDPR mandates job security for DPOs, meaning they cannot be dismissed or penalized for carrying out their duties.

The future of DPOs

In deciding the latest case on the conflict of interest in acting as a DPO and head of compliance, risk and audit, the Belgian DPA noted that the duality of the DPO role posed a conflict of interest. Consequently, the DPO was unable to act with independent oversight on these processing activities. The Belgian DPA concluded that the organization had acted with a “significant degree of negligence” in combining these roles.

The decision raises questions on future DPO appointments and when individuals within an organization are conflicted out. Does this decision mean that combining the DPO role with the head of a department is an automatic conflict because that person is involved in decision making? These are ethical questions that organizations will have to answer. Hopefully, DPAs in various jurisdictions will issue more guidance on this dilemma.

In the meantime, some practical steps companies can take to ensure compliance include:

• Consider if your company is under a mandatory duty to appoint a DPO.
• Review the risk associated with your data processing, and determine if further resources are required.
• Consider whether the current DPO has any potential or existing conflicts of interest.
• Document the company’s strategy and decision making in choosing a DPO.

As DPAs continue to further define the legal and ethical boundaries of the DPO, there will be an increased demand for outsourced or external DPOs with strong expertise to support the work of an internal DPO or to act in the capacity of DPO. While empowering the DPO is paramount in demonstrating high ethical standards, organizations are ultimately responsible for signing off on decisions.

When a DPO is without conflicts of interest, their advice is more likely to be objective and robust. This ultimately reduces the risk of monetary penalties, builds trust and enhances an organization’s brand.

Photo by Nathan Shively on Unsplash