TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to ensure you appoint an independent DPO Related reading: IAPP launches new certification program for the French market

rss_feed

""

In light of recent regulator action regarding data protection officer independence, it's an important moment to consider the ethical and practical considerations surrounding the appointment of a DPO.

A sporting analogy is helpful here: The essential question to consider is can one player be a coach and a referee? Arguably not. A referee (or DPO) must be in a position to freely advise on the rules of the game, monitor compliance and, ultimately, give a red card without fear of reprisals from owners, shareholders, managers or the players themselves. Increasingly, the position and independence of a DPO is a barometer of an organization’s ethical standards.

Fines and regulatory risk

On April 28, the Belgian Data Protection Authority issued a 50,000 euro fine to an organization for appointing the head of compliance, audit and risk management as DPO. The Belgian DPA argued that these two combined roles created a conflict of interest and violated Article 38(6) of the EU General Data Protection Regulation.

This decision is in line with earlier holdings where the Belgian DPA stated that DPOs may not themselves delete personal information of a data subject. All decisions regarding the data processing must be taken by the data controller with the advice of the DPO. In other words, the DPO’s role is to inform and advise, monitor compliance, and act as the contact for the supervisory authorities, as well as for data subjects. The data controller, on the other hand, makes the decisions on data processing, including data deletion.

If the DPO makes strategic decisions for the organization or if they hold an operational role, they may be involved in decision making about processing activities. What then are the ethical and pragmatic considerations of choosing a DPO? It is important to consider the types of processing the organization carries out, the levels of risk to individuals and the extent to which the DPO can carry out their duties without risk of making decisions as a controller or processor.

The day-to-day of a DPO

This decision by the DPA highlights important aspects of the GDPR and its intrinsic requirement for an independent DPO. The DPO is expected to have a high level of expertise, as well as be available to act as a point of contact between the organization, the authorities and data subjects. The DPO is also responsible for tracking compliance within an organization, collecting information on processing activities, ensuring that data processing satisfies GDPR requirements, and advising the controller and processor on these matters. In other words, the DPO role requires the full cooperation of multiple departments and stakeholders within an organization.

Given the DPO’s central role in maturing a data protection program, the DPO is able to keep records regarding the organization’s data protection program and compliance. Additionally, the DPO should have adequate access to information necessary to help the organization create data inventories or registers with details on data processing operations in various business functions. Oversight on these records is not only necessary to adhere to the accountability principle, it also allows the DPO to better fulfill their role.

Another core duty of any DPO is to advise the controller when a data protection impact assessment is necessary, what methods to use in carrying it out, and whether additional resources are needed. Once a DPIA has been carried out, the DPO examines whether it is satisfactory and, based on the findings, advises on how to proceed. When significant risks have been identified with a processing activity, the DPO should advise on whether additional safeguards can be put in place to make the processing compliant or if that particular process should be abandoned.

Supervisory authorities should be able to access information via the DPO to fulfill their investigative, advisory and corrective role. It is important to note that while the DPO has a duty of confidentiality and secrecy, this does not preclude them from consulting with the supervisory authorities as needed. The concept of “secrecy” is not well defined in the GDPR, although other data protection laws, such as the German Federal Data Protection Act, binds the DPO to secrecy regarding a data subject’s identity and the circumstances enabling data subjects to be identified.

The DPO is also the contact point for the data subjects in exercising their rights, which means they should be easily accessible via phone, mail or email. Moreover, organizations need to conduct data protection and privacy training to be and remain compliant. The DPO should be involved in advising and training employees and relevant stakeholders on GDPR compliance.

Independence as a core value

Given the DPO’s critical role, they must be independent. The controller or processor should view the DPO as an advisor and refrain from directing them on how to fulfill their duties. The DPO should report to the highest level of management, ideally the board of directors. This is particularly important because it allows the management team to receive timely feedback on compliance and data protection within the organization.

The DPO role involves intricate dynamics with various stakeholders, often navigating conflicts of interest. Such dilemmas may be more pronounced when an organization has an internal DPO. There should always be a clear line between serving as an organization’s DPO and acting as a decision-maker for the controller. In a sense, the DPO is an extension of the supervisory authority, thus creating the need for a high degree of integrity and ethics in fulfilling this role.

Given the need for objective independence, the GDPR mandates job security for DPOs, meaning they cannot be dismissed or penalized for carrying out their duties.

The future of DPOs

In deciding the latest case on the conflict of interest in acting as a DPO and head of compliance, risk and audit, the Belgian DPA noted that the duality of the DPO role posed a conflict of interest. Consequently, the DPO was unable to act with independent oversight on these processing activities. The Belgian DPA concluded that the organization had acted with a “significant degree of negligence” in combining these roles.

The decision raises questions on future DPO appointments and when individuals within an organization are conflicted out. Does this decision mean that combining the DPO role with the head of a department is an automatic conflict because that person is involved in decision making? These are ethical questions that organizations will have to answer. Hopefully, DPAs in various jurisdictions will issue more guidance on this dilemma.

In the meantime, some practical steps companies can take to ensure compliance include:

  • Consider if your company is under a mandatory duty to appoint a DPO.
  • Review the risk associated with your data processing, and determine if further resources are required.
  • Consider whether the current DPO has any potential or existing conflicts of interest.
  • Document the company’s strategy and decision making in choosing a DPO.

As DPAs continue to further define the legal and ethical boundaries of the DPO, there will be an increased demand for outsourced or external DPOs with strong expertise to support the work of an internal DPO or to act in the capacity of DPO. While empowering the DPO is paramount in demonstrating high ethical standards, organizations are ultimately responsible for signing off on decisions.

When a DPO is without conflicts of interest, their advice is more likely to be objective and robust. This ultimately reduces the risk of monetary penalties, builds trust and enhances an organization’s brand.

Photo by Nathan Shively on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

5 Comments

If you want to comment on this post, you need to login.

  • comment Simon Hania • Jun 24, 2020
    "In a sense, the DPO is an extension of the supervisory authority,..."
    I vehemently disagree. It should read "In no sense, the DPO is an extension of the supervisory authority,..." that is part of being independent too: not being an extension of anyone or anybody!
  • comment Helga Turku • Jul 1, 2020
    Simon, you raise an interesting point but surely DPOs are the 'boots on the ground' for supervisory authorities, these are the people who ensure regulations are upheld, independent of commercial or other interests. As a DPO service, we encourage high standards of data protection and privacy compliance, which is the ultimate aim of regulators. Yes, we are independent of authorities, but we don’t see a conflict in referring to DPOs as extending the high standards recommended by authorities. This is not to say that DPOs should not advocate for organisations, individuals and authorities and flag issues when they are considered expansive or limited in their approach.
  • comment Simon Hania • Jul 3, 2020
    Still do not agree that DPO should be "boots on the ground" for a DPA. Actually, as a DPO I have pushed back to DPAs as well on occasions.
    If anything DPOs represent the voice of the individuals (or data subjects, if you like that dehumanising jargon) with respect to their fundamental rights and the complex reconciliation sometimes required.
  • comment Helga Turku • Jul 5, 2020
    Appreciate your views and agree DPOs should be sufficiently independent to advocate for or push back on approaches from organisations, regulators or individuals where appropriate. Not an easy task, hence the need for qualified and experienced individuals or outsourced firms in the position.
  • comment Paulo Almeida • Jul 29, 2020
    Regarding the issue of the DPO as an extension of the supervisory authority, Dyann Heward-Mills wrote: "It has been accurately observed that the DPO is the manifestation of the supervisory authority in an organization." (https://iapp.org/news/a/the-dpo-must-be-independent-but-how/)
    
    I'm not an expert, I was trying to understand the independence of the DPO and came across these two articles.