Should you appoint an existing member of staff as your DPO?
In a shock decision, the Belgian Data Protection Authority (DPA) has fined a company for appointing its head of compliance as the GDPR Data Protection Officer (DPO). According to the DPA, this combination of roles creates a conflict of interest and therefore constitutes an infringement of article 38(6) GDPR.
For many organisations, the appointment of the DPO has been one of the more complicated requirements to deal with under the GDPR. The detailed description of the workload, the high requirements in terms of expertise, but also the expectations of the Article 29 Working Party guidelines have made for further confusion. Add the fact that this function did not exist in most EU Member States and/or organisations, creating a huge demand for the limited number of people that met the legal requirements, and it is clear that many organisations have had huge issues finding the right person for the job.
It is therefore no wonder that many organisations decided to appoint the DPO from within the organisation. After all, article 38(6) GDPR expressly allows organisations to appoint a DPO who may fulfil "other tasks and duties" so long as it does not result in a conflict of interest.
The Article 29 Working Party expanded further on this in its Guidelines on Data Protection Officers;
“A conflict of interest will exist in situations where a DPO holds a position within the organisation that leads him or her "to determine the purposes and the means of the processing of personal data". Although the Article 29 Working Party acknowledged that this assessment is done on a case-by-case basis, as a rule of thumb, it identified senior management positions such as CEO, COO, Head of Marketing, Head of HR or Head of IT as conflicting positions”.
As a result of these guidelines, thousands of organisations who did not require a full-time DPO opted to appoint their head of compliance, CEO, head of HR or IT as the DPO.
This seemed quite logical. People in these positions could easily become "experts in data protection law" (art. 37(5) GDPR). They typically have affinity with legal compliance and how it is implemented in practice.
Based on the latest decision of the Belgian DPA, all these organisations run the risk of fines, having demonstrated a "high degree of negligence" in appointing, under the circumstances, a head of a department as the DPO.
2. Belgian Data Processing Authority ruling
Following an investigation triggered by a data breach, the DPA's Inspection Service alleged that the defendant did not comply with article 38(6) GDPR because it appointed its Head of Compliance, Risk and Audit as the DPO.
The defendant argued that there was no conflict of interest between these roles, to the extent that the DPO was not involved in any decision-making around the processing of personal data.
The DPA disagreed, pointing out that in its capacity of Head of Compliance, Risk and Audit, the DPO was the end-responsible for the processing of personal data in the context of the organisation's compliance, risk and audit activities. As a result, the DPA ruled that it was impossible for the DPO to exercise any independent oversight on these processing activities.
On the basis of the fact that "the concept of the DPO is not new and has been existing since long in many Member States and many organisations" (although it did not exist in Belgium before the adoption of the GDPR), the DPA's Dispute Chamber concluded that in combining these roles, the defendant acted with a "significant degree of negligence".
The defendant was convicted to resolve the conflict of interest and was fined an amount of 50.000 EUR. The amount of the fine may seem insignificant (approximately 0.001% of annual turnover) but it is by far the highest administrative fine imposed by the Belgian DPA so far.
This case assists us in understanding the view of the regulator and the concept of direct and indirect determinations made concerning the processing of data.