The importance of ensuring your DPO has the Independence, Expertise and Skills (IES) to fulfil their role has never been greater.
In the fevered atmosphere of 2017-18 many organisations “appointed a DPO” to answer the question “how can we sort data protection?”
Yet we know that DPOs are not personally responsible for compliance (or cases of non-compliance) with the GDPR. Compliance remains the responsibility of the Data Controller.
Since 2018 the role of DPO has begun to settle. The DPO can often be seen as the person “doing” data protection and “responsible” for it; this is perhaps understandable, as the DPO should have data protection expertise and skills that will often be greater than many (if not all) within the organisation.
But an often-overlooked requirement of a Data Protection Officer (DPO) is independence, free from conflicts of interests
This article looks at the IES all DPOs should have.
What does the guidance say?
The Article 29 Working Party provides clear guidance:
This should be proportionate to “…the sensitivity, complexity and amount of data an organisation processes.” Also, there is a difference “depending on whether the organisation systematically transfers personal data outside the European Union or whether such transfers are occasional.”
The DPO should therefore be “…chosen carefully, with due regard to the data protection issues that arise within the organisation.”
A DPO “…must have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR” and “…a good understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller.”
A DPO should also have the personal qualities such as “…integrity and high professional ethics; the DPO’s primary concern should be enabling compliance with the GDPR.”
A DPO should play a key role in fostering a “…data protection culture within the organisation and helps to implement essential elements of the GDPR, such as the principles of data processing, data subjects’ rights, data protection by design and by default, records of processing activities, security of processing, and notification and communication of data breaches.”
Article 38(3) outlines core guarantees intended to ensure DPOs are able to perform their tasks with a sufficient degree of autonomy. In particular, Controllers and Processors are required to ensure that the DPO “does not receive any instructions regarding the exercise of [their] tasks.”
Recital 97 adds that DPOs, “whether or not they are an employee…should be in a position to perform their duties and tasks in an independent manner.”
This is why the GDPR states that a DPO “shall directly report to the highest management level” of the organisation (Art 38(3)). Such direct reporting ensures that senior management is aware of the DPO’s advice and recommendations, irrespective of whether they follow it.
Article 38(6) is clear: the DPO can fulfil other tasks and duties BUT “…the controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.”
It is therefore essential to ensure that the DPO does not have a contact of interest. The DPO should be the “critical best friend” to the organisation; they cannot do this if their other role(s) involve making decisions with regards personal data, such as why it is being processed and/or how it is being handled. The Working Party is clear:
“The DPO cannot hold a position within the organisation that leads [them] to determine the purposes and the means of the processing of personal data.”
“…conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.”
A DPO should not “mark their own homework;” they should not “monitor themselves” (or their Colleagues, Team or Department) with regards any processing of personal data.
Case Law is emerging
In September 2022 the Berlin Commissioner for Data Protection and Freedom (BInBDI) fined a retail group €525,000 for non-compliance with the GDPR’s “conflict of interest” requirements.
Their DPO was at the same time Managing Director of two service companies which processed data on behalf of the Controller. These service companies were also part of the group which provided customer service and carried out orders: the DPO had to monitor data protection compliance by the companies operating within the framework of the processing whilst also being responsible for making managerial decisions within it.
Change is coming?
In the UK, the draft Data Protection and Digital Information Bill proposes removing the obligation on some organisations to appoint a DPO.
Instead, outside the public sector, organisation would be required to assess whether they were processing data that is likely to result in a high risk to the rights and freedoms of individuals.
If so, they must designate a senior manager as a “Senior Responsible Individual” (SRI) who must be a senior manager (rather than now, where the DPO must report to senior management)
And as now, the SRI must be adequately resourced, cannot be dismissed for performing their tasks and must fulfil certain tasks.
With changes likely in the UK, and European regulators taking action on DPO conflict of interest, now is a good time to review your approach to managing data protection risk.
You might conclude you have called someone your DPO but not fully realised what this means for:
- You (as Data Controller) – i.e. the commitment to provide the DPO with “resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain [their] expert knowledge” (Art38(2)) and ensure the DPO is “involved, properly and in a timely manner, in all issues which relate to the protection of personal data”(Art 38(1)).
- Them (as an employee) with regards their position (Art 38) and the tasks (Art 39) they have to fulfil.
Or you might, on reflection and a review of Article 37, conclude you are not required by law to appoint a DPO:
- You can embrace the freedom to ensure you have appropriate resources to manage the data protection and privacy risks you face.
But if you conclude you are required by law to appoint a DPO (or wish to voluntarily appoint one) the requirements of the GDPR articles 37-39 will apply.
- On review, you might conclude that the other function(s) you require the employee to fulfil means they are not truly independent.
- If so, now is the time to recognise the need for a change: either allocate the DPO role to someone internally who has genuine independence; recruit a dedicated DPO or engage an external DPO.