Wearing two hats DPO & internal functions
For many organizations, the appointment of a Data Protection Officer (DPO) is often a mandatory requirement to meet the requirements of the General Data Protection Regulation (GDPR).
Irina Hedea - Sponsoring Partner - Information & Technology Risk - Deloitte
Georges Wantz - Managing Director - Technology & Enterprise Application - Deloitte
Aleksandra Suwala - Senior Consultant - Information & Technology Risk - Deloitte
Sibil Manco - Analyst - Information & Technology Risk - Deloitte
Published on 11 March 2020
The General Data Protection Regulation (GDPR) has introduced many challenges to organizations. One of them is the decision related to the designation of a Data Protection Officer (DPO). While choosing a DPO is often key to meeting the requirements of GDPR, organizations need to bear in mind that DPOs should not receive instructions regarding the exercise of their role. A DPO should directly report to the highest management level of the organization. Moreover, a DPO should be a person who has a high degree of knowledge and understanding of data protection laws, and, from practical perspective, of the business and particular sector in which a company operates.
Since the GDPR’s entry into force in 2015, it has been observed that organizations were keen to first look internally to entrust DPO’s responsibilities to a current employee or a member of upper management. However, taking into consideration the independence required for a DPO, organizations who have entrusted this role internally must be careful in regularly assessing potential conflicts of interest with other roles, including the ones naturally given by the line of hierarchical reporting.
One of the most important principles of the GDPR is accountability, i.e., being able to demonstrate compliance with the law¹. The principle of accountability implies a cultural change within organizations and endorses building a comprehensive compliance structure with a DPO at its core.
How has the role of a DPO become important in the EU?
The nomination of a DPO has become a standard practice in the European Union, especially amongst companies operating in the financial, corporate and technology industry. It is due to the general requirements of the GDPR, which fit the circumstances of many organizations, due to the local laws that so require, e.g., in Germany where a controller constantly employs at least 20 persons dealing with the automated processing of personal data², but also due to the growing awareness in terms of accountability.
Deloitte has conducted a survey across a sample of both consumers and organizations to gain insights into attitudes towards data privacy since GDPR became enforceable on 25 May 2018. The survey was run across eleven countries, both inside and outside the EU, to understand what impact GDPR has had on organizations³. Of the countries surveyed, 96% of Spanish businesses have appointed a DPO, followed by Italy (93%), United Kingdom (92%) and France (76%). Note that appointing a DPO is not mandatory for all organizations, depending on the personal data they process, so these are considered relatively high numbers and highlight the importance that organizations have placed on having accountability in place for data protection.
Percentage of organizations that have implemented a DPO position per selected countries
1 Art. 5(2) of the GDPR.
2 Paragraph 38 of the German Bundesdatenschutzgesetz
3 “A new era for privacy, GDPR six months on”,2018, Deloitte. “Deloitte’s General Data Protection Regulation (“GDPR”) survey was based on 1,100 responses from individuals with involvement in GDPR within their organizations and 1,650 responses from consumers. The survey was conducted across 11 countries to get a view on consumer perceptions and organizations’ responses to GDPR inside and outside the EU. The countries surveyed were the UK, Spain, Italy, Netherlands, France, Germany, Sweden, USA, Canada, India, and Australia.”
POSITION AND TASKS OF A DPO
The main task of a DPO is to inform and advise on the obligations of an organization and of its employees with regard to the protection of personal data. A DPO should also monitor the organization’s compliance with internal policies and procedures, provide necessary advice with regard to personal data protection as well as cooperate with supervisory authorities. As part of the duties required to monitor compliance, DPOs may, in particular, collect information to identify processing activities, analyze and check the compliance of processing activities, and inform, advise and issue recommendations to the organization with regard to those processing activities⁴.
To perform their tasks, DPOs cannot be instructed on how to do their job, and should directly report to the highest management level of the organization. Moreover, organizations must provide necessary resources to the DPO and ensure that fulfilment of DPO’s tasks “does not result in a conflict of interests”⁵.
4 Article 29 Working Party “Guidelines on Data Protection Officers (‘DPOs’), 2016.
5 Art. 38 (6) of the General Data Protection Regulation.
POTENTIAL CONFLICT OF INTEREST
Can a DPO hold an executive position within the company? Which existing functions are not a good fit to take on the role of a DPO? This topic has been subject of a number of recent decisions of supervisory authorities across the European Union as well as guidance from the regulators. Positions bearing risk of a potential conflict of interest with a role of a DPO include senior management positions such as, for example, CEO, COO, CFO, Head of Marketing, Head of Human Resources, Head of IT⁶, to name but a few.
6 See above, item 4, p.16.
For example, a conflict of interest may arise in the following cases:
When a DPO determines the purposes and the means of the processing of personal data
e.g., when a DPO makes final decisions in determining the organization’s strategy with regard to personal data processing, which should be contested from a GDPR-compliance perspective. This may happen, for instance, in the case of a DPO role combined with the role of a CEO. On a day-to-day basis, CEOs have to make decisions with regard to the development of their companies. Some of those decisions, such as, for instance, launching a marketing campaign involving customer profiling, are subject to certain restrictions from a GDPR standpoint. While a DPO’s role is to contest such a decision and provide recommendations as to the GDPR-
acceptable way of conducting of such campaign, the role of a CEO is often to look at the business perspective rather than at the GDPR aspects as such. It is, therefore, recommended to keep the roles separate in order to avoid a conflict of interest.
When DPOs monitor their own activities⁷
e.g., a Head of IT Department being in charge of selection and deployment of IT tools - often those IT tools may raise questions concerning GDPR compliance. While it is a DPO’s role to analyze those tools and provide recommendations on their use in terms of compliance with the data protection laws, the role of a Head of IT Department is to, rather, look at the selection of tools from the business and technical perspective. Combining both roles may, therefore, lead to a conflict of interest.
When a DPO can decide alone on actions to meet the requirements of the GDPR
e.g., the Belgian Data Protection Authority has pointed out that a DPO acting upon a request of a data subject and erasing personal data himself was in violation of the principles of the GDPR related to the conflict of interest. It is due to the fact that, even though data subjects may contact the DPO with regard to all matters relating to the processing of their personal data and the exercise of their rights, the decision on the exercise of the data subject's rights must be made by the controller (organization)⁸.
7 Decision of the Bavarian Data Protection Authority from October 2016, https://www.lda.bayern.de/de/index.html
HOW TO AVOID A CONFLICT OF INTEREST ?
Whether faced with a decision following the assessment of the independence of the role of the DPO or in doubt about a possible conflict of interest, organizations should respond appropriately.
Not taking the measures needed for meeting the GDPR requirements with regard to the DPO could not only have an impact on the potential occurrence of a conflict of interest, but also on data protection governance in general.
Avoiding conflicts of interest is not as simple in practice as it seems in theory, and the practical applicability of the principle poses an ongoing challenge for the organizations. Placing the role of the DPO in a hierarchical chain that helps to avoid conflicts of interest is already part of the root solution. Therefore, building a good basis that meets GDPR requirements and continuing with an efficient framework of controls is already a good start. Involving top management in regular reporting and decisions can be another ingredient for success.
Looking at solutions such as the outsourcing of the role of a DPO, —i.e., hiring an external provider to take over the role— may also be an option to enforce the independence of the DPO, with specific considerations that should be assessed for such an option.
- GDPR has brought many challenges to organizations. One of them is a decision related to the designation of a Data Protection Officer.
- The position of DPO is regulated by GDPR. As such, DPOs should not receive instructions regarding the exercise of their role and should directly report to the highest management level of the organization.
- Assigning the role of a DPO to an internal function may result in a conflict of interest.
- Performing a regular review of possible conflicts of interest can bring a lot of value to organizations; Looking at solutions such as the outsourcing of the DPO role may be an option to enforce the independence of the DPO.
- Running an efficient framework of data protection controls is a key factor in supporting the DPO role and in meeting GDPR requirements.
General Data Protection Regulation
The General Data Protection Regulation, which has been in force since 25 May 2018, aims to create a homogenous framework for all personal data processing taking place in the European Union.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.