The appointment of a data protection officer is key to organizational efforts to achieve operational compliance in data protection.
However, as regulators continue to push for a shift from compliance toward accountability, the discussion firmly places the spotlight on conflicts of interest (COI) that may emerge between businesses and their DPOs.
DPO as a Key Figure in Accountability
There is a spectrum of definitions of accountability. In data protection and privacy circles, accountability is a principle that entails, among others, to appoint an individual, known as DPO. The DPO is responsible for developing and monitoring an organization-wide privacy management program to meet all obligations under applicable regulations, for example, the EU’s General Data Protection Regulation (Article 37), the Colombian Accountability Guidelines (Section 3), the Canadian PIPEDA (first privacy principle), or Singapore’s Data Protection Act (Section 11) whose Commissioner has recently released a DPO Competency Framework.
While the specific role of the DPO must always be determined, its resources must also be identified and adequate since the data protection management program is essentially an enterprise level risk management program.
DPOs must be recognized as independent by the top management, allowing them to perform their relevant tasks, from conducting compliance checks to post-breach investigation, without receiving any instruction.
From a synopsis of recent public guidance, notably by the European Data Protection Board, the State Data Protection Commissioner of Baden-Wuerttemberg, the Danish Datatilsynet, the Information Commissioner’s Office, and the Belgian Gegevensbeschermingsautoriteit, one may distinguish three types of COI where DPOs may have their hands tied by their organization, which will be briefly discussed in the following.
1. The “DPO–Boss”
A DPO faces competing interests when being in a senior management position that implies decision-making on the purposes and means of processing—a competence which under most data protection laws is strictly assigned to the data controller and its representative bodies.
As a second factor, managerial positions that have to consider economic interests as a priority and need to strive for cost minimization often lack the necessary “arm’s length” distance to their organization, which may be detrimental to the interests of data subjects.
2. The “I-Trust-Myself DPO”
Closely linked to the first group, a COI can also arise where internal or external DPOs have to self-monitor their own activities and compliance. As DPOs cannot be “both judge and judged,” even IT managers or system administrators who do not necessarily belong to top management, but may decide on an essential area of IT structures, cannot be accepted as DPOs.
Shortcomings at this point have led to fines even before the GDPR became fully applicable, such as in a publicly known case of the Bavarian Data Protection Authority.
3. The “DPO of All Trades” (and Master of None?)
DPOs face competing interests when they draft entire data processing documents without any significant involvement of the organization, or when they respond to requests from data subjects on their own authority. In this respect, the Belgian Data Protection Authority has recently noted a COI in a particular case where an individual kept receiving a newsletter due to a technical error. The Authority concluded that the DPO was not entitled to take the data subject’s email address from the distribution list which would rather have been the task of the data controller under Article 17 GDPR.
We believe the board of directors of the organization or its independent privacy committee must be involved before documenting or adjusting the privacy program in light of any material changes to organization’s privacy policies and procedures. Ensuring that they are informed and consulted from the earliest stage possible in all issues relating to data protection is a real step towards ‘accountability plus’.
Avoiding and Handling COI
No matter how likely COI may emerge in an organization, both controllers and processors are encouraged to adopt a declaration by which they commit themselves to detect and resolve COI from the outset. The declaration should list all existing roles within the organization that are incompatible with that of the DPO and include a transparent, rapid procedure for identifying such conflicts in the future.
When in doubt, an assistant DPO (or a suitable member of the Data Protection Committee) should be available who may take over further communication and cooperation with the business partner towards whom the DPO may be biased.
Companies that intend to appoint an individual as their DPO who was previously engaged in incompatible activities with this position should observe a sufficiently long cooling-off period which must be determined on a case-by-case basis.
When submitting (annual) reports to the top management, DPOs should provide a statement on their independence and disclose any circumstances that would prevent them from exercising their functions in a neutral way. All the better if there is literally “nothing to disclose” on this occasion.
When DPOs contact supervisory authorities, not only to report a data breach, but also when launching new products and taking on high-risk processing activities, they should strive for a neutral language and self-critical approach. Supervisory authorities are aware that every privacy and data protection management system has its weak points that can only be improved if concerns are not swept under the carpet.
Finally, the DPO must perform his/her tasks with a high level of integrity and professional ethics. For example, it is necessary that the DPO avoids taking advantage of insider information. In the Equifax data breach case, the former chief information officer was found guilty of using confidential information to his own benefit in a serious breach.
Re-Appreciating the DPO
We hope this discussion has stimulated more appreciation for the DPO. In choosing a suitable DPO, the organization gains an ally who—at arm’s length—lends a supportive hand to the organization, helping to form an upright posture that will garner even more trust through demonstrating ‘accountability plus’.
A more in-depth Bloomberg Law analysis of the points discussed above is available here.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Christopher Schmidt (CIPP/E CIPM CIPT) has worked at the International and European Affairs Department of the Hessian Data Protection Commissioner. He is a German Magister of Law with IT and data protection knowledge and a BTA Certified Blockchain Solution Architect. He regularly speaks on current data protection matters in German, English, French, and Italian.
Qian Li Loke (FIP CIPP/A CIPM) is a consultant at Straits Interactive and an ambassador of the Data Protection Excellence Network. He regularly speaks, writes and trains on data protection with a business flavor.
Luis Alberto Montezuma (CIPP/C CIPP/E CIPP/US CIPM FIP and Privacy by Design). He is currently deputy assistant to the chair of Colombia’s Data Protection Authority (Superintendent Delegate for the Protection of Personal Data of the Superintendence of Industry and Commerce). He also serves as a member of the IAPP Privacy Bar Section Advisory Board and is co-chairman of the IAPP Bogota, Colombia KnowledgeNet Chapter.
The views expressed in this article do not necessarily correspond to those of the authors’ respective organizations.