Breaching Data Protection Officer (DPO) independence requirements
In a recent case in Belgian, a company was fined €50,000 the lack of independence of their DPO and failure to fully engage with them.
An administrative infringement of the provisions of the GDPR, (Art 38) can be subject administrative fines up to €10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In determining the amount of the fine, the Supervisory Authority (SA) in Belgium relied on the following 3 criteria:
(i) The availability of guidelines from Art 29 Working Party (now European Data Protection Board) on DPOs, which includes details regarding the requirements in terms of conflict of interests;
(ii). The nature of the Defendant’s business;
a. The level of maturity of such an organisation (it was a major telecom provider);
b. The amount of personal data processed, and therefore the increased amount of individuals subject to a risk of non-compliance;
and
(iii) The duration of the breach of Article 38(6) of the GDPR, provided that the Defendant had not changed their DPO before the hearing.
We believe that all organisations should consider the following 2 key takeaways from this decision:
INVOLVE THE DPO EARLY
The DPO must be consulted in all data protection related matters, not just informed. This means that the DPO must have an opportunity to be involved early in processes related to data protection matters, and that they should have the opportunity to give their opinion.
Organisations should ensure that all their processes are documented, and that they can explicitly demonstrate that the DPO is consulted at the outset of data protection matters. (a lack of paperwork proving engagement with their DPO, was one of the reasons that this company got into trouble).
In the context of a risk assessment of a personal data breach, the DPO should be able to undertake their own risk assessment (or provide their views on the one undertaken by management teams) before a final decision is sought.
NO CONFLICT OF INTEREST
Organisations should refrain from appointing DPOs who have other roles in other departments where they have responsibility for decisions relating to purposes and means of personal data processing in that department. It may mean that:
(i) DPOs who head or manage departments are likely to be in a situation of conflict of interest;
(ii) More junior personnel in another department may be less likely to have this risk however, this may raise other difficulties; like their qualifications and having to report to the highest level of management, which is required under GDPR;
Conflicting roles may include IT managers, General Counsel, Head of Compliance, Head of Audit, Head of Finance, Head of Marketing, Head of HR or any other head of a department involving the processing of personal data.
Two other options to consider:
a. hire a dedicated in-house DPO;
or
b. you can outsource the Data Protection Officer function (DPO as a service), which is a service that we offer to our clients, see link below.