In light of recent regulator action regarding data protection officer independence, it’s an important moment to consider the ethical and practical considerations surrounding the appointment of a DPO.
A sporting analogy is helpful here: The essential question to consider is can one player be a coach and a referee? Arguably not. A referee (or DPO) must be in a position to freely advise on the rules of the game, monitor compliance and, ultimately, give a red card without fear of reprisals from owners, shareholders, managers or the players themselves. Increasingly, the position and independence of a DPO is a barometer of an organization’s ethical standards.
Fines and regulatory risk
On April 28, the Belgian Data Protection Authority issued a 50,000 euro fine to an organization for appointing the head of compliance, audit and risk management as DPO. The Belgian DPA argued that these two combined roles created a conflict of interest and violated Article 38(6) of the EU General Data Protection Regulation.
This decision is in line with earlier holdings where the Belgian DPA stated that DPOs may not themselves delete personal information of a data subject. All decisions regarding the data processing must be taken by the data controller with the advice of the DPO. In other words, the DPO’s role is to inform and advise, monitor compliance, and act as the contact for the supervisory authorities, as well as for data subjects. The data controller, on the other hand, makes the decisions on data processing, including data deletion.
If the DPO makes strategic decisions for the organization or if they hold an operational role, they may be involved in decision making about processing activities. What then are the ethical and pragmatic considerations of choosing a DPO? It is important to consider the types of processing the organization carries out, the levels of risk to individuals and the extent to which the DPO can carry out their duties without risk of making decisions as a controller or processor.
The day-to-day of a DPO
This decision by the DPA highlights important aspects of the GDPR and its intrinsic requirement for an independent DPO. The DPO is expected to have a high level of expertise, as well as be available to act as a point of contact between the organization, the authorities and data subjects. The DPO is also responsible for tracking compliance within an organization, collecting information on processing activities, ensuring that data processing satisfies GDPR requirements, and advising the controller and processor on these matters. In other words, the DPO role requires the full cooperation of multiple departments and stakeholders within an organization.
Given the DPO’s central role in maturing a data protection program, the DPO is able to keep records regarding the organization’s data protection program and compliance. Additionally, the DPO should have adequate access to information necessary to help the organization create data inventories or registers with details on data processing operations in various business functions. Oversight on these records is not only necessary to adhere to the accountability principle, it also allows the DPO to better fulfill their role.
Another core duty of any DPO is to advise the controller when a data protection impact assessment is necessary, what methods to use in carrying it out, and whether additional resources are needed. Once a DPIA has been carried out, the DPO examines whether it is satisfactory and, based on the findings, advises on how to proceed. When significant risks have been identified with a processing activity, the DPO should advise on whether additional safeguards can be put in place to make the processing compliant or if that particular process should be abandoned.
Supervisory authorities should be able to access information via the DPO to fulfill their investigative, advisory and corrective role. It is important to note that while the DPO has a duty of confidentiality and secrecy, this does not preclude them from consulting with the supervisory authorities as needed. The concept of “secrecy” is not well defined in the GDPR, although other data protection laws, such as the German Federal Data Protection Act, binds the DPO to secrecy regarding a data subject’s identity and the circumstances enabling data subjects to be identified.
The DPO is also the contact point for the data subjects in exercising their rights, which means they should be easily accessible via phone, mail or email. Moreover, organizations need to conduct data protection and privacy training to be and remain compliant. The DPO should be involved in advising and training employees and relevant stakeholders on GDPR compliance.
Independence as a core value…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…