Should all Heads of Compliance/Legal step down as DPO, following the Belgian DPA ruling?

For many organisations, the appointment of the DPO has been one of the more complicated requirements to deal with under the GDPR. The detailed description of the workload, the high requirements in terms of expertise, but also the expectations of the Article 29 Working Party guidelines in terms of availability and language skills put the bar very high. Add the fact that this function did not exist in most EU Member States and/or organisations, creating a huge demand for the limited number of people that met the legal requirements, and it is clear that many organisations have had huge issues finding the right person for the job.

It is therefore no wonder that many organisations decided to appoint the DPO from within the organisation. After all, article 38.6 GDPR expressly allows organisations to appoint a DPO who fulfils “other tasks and duties” as long as it does not result in a conflict of interest.

The Article 29 Working Party elaborated further on this principle in its Guidelines on Data Protection Officers: A conflict of interest will exist in situations where a DPO holds a position within the organisation that leads him or her “to determine the purposes and the means of the processing of personal data”. Although the Article 29 Working Party acknowledged that this assessment is done on a case-by-case basis, as a rule of thumb, it identified senior management positions such as CEO, COO, Head of Marketing, Head of HR or Head of IT as conflicting positions.

As a result of these guidelines, hundreds if not thousands of organisations who did not require a full-time DPO opted to appoint their head of compliance or head of legal as DPO.

This seemed logical. People in these positions could easily become “experts in data protection law” (art. 37.5 GDPR), if they were not already. They typically have a lot of affinity with legal compliance and how it is implemented in practice. Furthermore, in their role as head of legal/compliance, they are not involved in the decision-making for key data processing activities (such as HR data, customer data, patient data, etc.).

Based on the latest decision of the Belgian DPA, all these organisations run the risk of fines, having demonstrated a “high degree of negligence” in appointing their head of compliance/legal as DPO.

2. Belgian Data Processing Authority ruling

Following an investigation triggered by a data breach, the DPA’s Inspection Service alleged that the defendant did not comply with article 38.6 GDPR because it appointed its Head of Compliance, Risk and Audit as DPO.

The defendant argued that there was no conflict of interest between these roles, to the extent that the DPO was not involved in any decision-making around the processing of personal data.

The DPA disagreed, pointing out that in its capacity of Head of Compliance, Risk and Audit, the DPO was the end-responsible for the processing of personal data in the context of the organisation’s compliance, risk and audit activities. As a result, the DPA ruled that it was impossible for the DPO to exercise any independent oversight on these processing activities.

On the basis of the fact that “the concept of the DPO is not new and has been existing since long in many Member States and many organisations” (although it did not exist in Belgium before the adoption of the GDPR), the DPA’s Dispute Chamber concluded that in combining these roles, the defendant acted with a “significant degree of negligence”.

The defendant was convicted to resolve the conflict of interest and was fined an amount of 50.000 EUR. The amount of the fine may seem insignificant (approximately 0.001% of annual turnover) but it is by far the highest administrative fine imposed by the Belgian DPA so far.