The internal Data Protection Officer (DPO): a position in jeopardy?
The date 25 May 2020 might ring a bell. It marks two years since the General Data Protection Regulation (GDPR for short) came into force – a robust legislative text that ratified a number of existing obligations, but also introduced new rules and positions, such as that of the Data Protection Officer (DPO).
The GDPR obliges certain undertakings to appoint a Data Protection Officer (DPO). This applies to governmental organisations and government bodies (with the exception of legal entities) and organisations that process data pertaining to data subjects on a large scale. The DPO himself can be viewed as the internal or external supervisor overseeing compliance with the privacy regulation within your organisation.
Appointing a DPO is not without “danger”
Whether or not a DPO is compulsory, what exactly his remit entails and how he is supposed to perform his duties has since been laid down in this framework. As a company you are free to appoint either someone from outside the organisation or from within it (e.g. a member of staff) as DPO.
- The advantage of an external DPO is his independence and objective view of your company. Given his experience you do not have to give him ongoing training in the (regularly updated) data protection legislation. The disadvantage is his lack of knowledge of the ins and outs of your organisation, to which you therefore do have to give him an introduction.
- The advantage of an internal DPO is that he or she knows your organisation (and staff). This person does not have to hold down this position on a full-time basis, and may even – under certain conditions – combine it with another post. But in that case a risk of conflict of interests does arise.
Who is definitely not eligible?
The GDPR’s WP29 guidelines state that a DPO may under no circumstances perform duties that “can determine the purposes and resources of the data processing within the undertaking”. In other words: management positions (CEO, CFO, CTO, etc.), and IT and HR managers are absolutely out of the question.
The consequence is that many companies currently appoint a department head, such as the Head of Compliance or the Head of Legal Affairs, as the internal DPO, because he or she is already well acquainted with the analysis and enforcement of legislative texts. Unfortunately the Data Protection Authority wants things to be even stricter.
The Proximus case: a precedent?
In May 2020 the Belgian Data Protection Authority (DPA) imposed a EUR 50,000 fine on Proximus for a conflict of interests in respect of its Data Protection Officer, since the latter was also Head of the Compliance, Audit & Risk Department.
The DPA asserted that the Head of the Compliance, Audit & Risk Department can also be the party with ultimate responsibility for the processing of personal data in the context of an organisation’s Compliance, Audit and Risk activities. The concept of “conflict of interests” is therefore applied very strictly here.
What are the implications?
Proximus could lodge an appeal with the Market Court, but announced that it would comply with the decision and adapt the position of its DPO. Nevertheless, this case raises a lot of questions. Proximus was penalised on the grounds of a hypothetical conflict of interests. So one might wonder whether an internal DPO is actually a good idea at all.
Unfortunately there is (as yet) no definite answer to this. Depending on your company and activities, a dual role is certainly permitted. We would recommend in any case that you account for your DPO’s remit very comprehensively and also designate a stand-in DPO at one fell swoop.
Conclusion: better safe than sorry
It is now two years since the GDPR was brought into force. The lack of guidance and controls in the initial months led to many companies becoming less vigilant. But the facts speak for themselves: since then more and more companies have got into trouble with the DPA or have been the victims of phishing. A GDPR-proof data security policy is more urgent than ever.