The Belgian Data Protection Authority (DPA) recently fined a company for having its Head of Compliance, Audit and Risk as its Data Protection Officer (DPO). The DPA decided that this represents a conflict of interest and therefore goes against Article 38.6 of the GDPR.
Appointing a DPO, for many, has been one of the harder GDPR requirements to comply with. The expertise needed, and expectations for the role means companies often struggle to appoint. And the fact that this role was not needed prior to GDPR 2018, means that organisations had to think quickly about who could fill the position, creating a high demand for people who meet the criteria. This led to many organisations appointing a DPO from within their own organisations. Article 38.6 of GDPR states that this is allowed as long as it does not create a conflict of interest.
The Article 29 Working Party gave organisations guidelines on this issue, detailing what a conflict of interest means. This would occur when a DPO also holds a role within an organisation which requires them to “to determine the purposes and the means of the processing of personal data.” These roles could include; CEO, COO, Head of Marketing, Head of HR, or Head of IT. Consequently, many organisations who did not hire a full-time DPO gave the role to their Head of Compliance or Head of Legal. Due to the positions’ affinity with legal knowledge, it was a logical choice to merge the roles.
However, following the recent ruling by the DPA in Belgium, companies who have followed this may be subject to fines following the “negligence” of appointing heads of compliance/legal as a DPO. The investigation in Belgium was triggered by a data breach, and found that the company violated article 38.6 of GDPR by appointing its Head of Compliance, Risk and Audit as its DPO. The company argued that there was no conflict of interest as the DPO did not have any authority on making decisions over processing personal data.
The DPA however did not agree. It argued that the Head of Compliance, Risk and Audit was indeed responsible for processing personal data related to compliance, risk and audit. Therefore, it was impossible for them to act independently as a DPO.
As the role of DPO has existed for almost two years, the DPA declared that the organisation had acted with a “significant degree of negligence” over this issue and fined €50,000. Though this fine seems low, it is in fact the highest fine given by the DPA so far.
The Belgian DPA stated that
The combination of the role of DPO with that of being the Head of any department that is subject to the DPO’s oversight prevents the DPO from acting independently.
Due to this ruling, it is seemingly impossible to allow any role in your company to also have the role of a DPO. Therefore, it may be hard for organisations to determine whether they need to create a wholly new role for a DPO. It appears that the DPA sanctioned the company on the basis of a hypothetical conflict of interest; there was no evidence of an actual conflict of interest relating to the role of DPO.
Although this decision sets a precedent for other potential cases, there is still a chance this case could be appealed. A way to combat this, could be to ensure your organisation has in place a proper procedure to deal with potential conflicts of interests, and to additionally make sure that you have appointed a back-up DPO in the event an issue arises.
Due to the complicated nature of DPO appointment, it is no wonder many companies are looking to outsource this role. The specialised skills and experience needed means that it’s often difficult to find an internal employee that meets the requirements. At Kazient, we provide an award-winning outsourced DPO service for all types of organisations. Using us means your organisation will be fully compliant with GDPR and data protection laws, and can avoid the consequences of non-compliance.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.