Hot on the heels of the Cambridge Analytica scandal, the General Data Protection Regulation 2016/679 (GDPR) was implemented in May 2018. In an atmosphere where data protection and privacy were high in people’s consciousness, the regulations introduced a host of changes that companies across the European Union would need to make to ensure the protection of individuals’ personal data. One of these is the requirement that any organisations whose core activities involve either large-scale and systematic monitoring of individuals or processing of special categories of data (such as health data) need to appoint a Data Protection Officer (DPO); it was initially estimated that at least 75,000 new DPOs would be needed worldwide. This applies to both large organisations and SMEs equally. The DPO needs to be an expert in data protection matters but can also fulfil other tasks and duties providing there is no conflict of interest. This caveat is crucial because subsequent regulatory decisions have called into question whether a company can realistically make any internal DPO appointment without risk of sanction.
On April 28 2020, the Belgian Data Protection Authority (BEDPA) fined a company 50,000 EUR for appointing its head of compliance, audit and risk as its DPO. This is a highly conservative judgment which may have implications for DPO appointments within all EU-based businesses moving forwards. The BEDPA found that the appointment was negligent and gave rise to a conflict of interest because as the head of compliance, audit and risk, the relevant individual was responsible for making decisions about the processing of personal data within those departments. This would, the BEDPA ruled, prevent effective and impartial scrutiny of those decisions by the same individual in their capacity as DPO. As the basis for its judgment, the BEDPA used the guidelines on DPOs from the European Data Protection Board (EDPB), which is an independent body comprised of representatives of the national data protection authorities. The EDPB guidelines state that a DPO “cannot hold a position within the organisation that leads him or her to determine the purposes and the means of processing of personal data”.
This decision indicates that the BEDPA considers the appointment of any senior employee with oversight of any data processing activities to the position of DPO to be a conflict of interest. This is significant for any company wishing to make an internal DPO appointment, unless it is prepared to engage someone who has no other management role. For example, a DPO is required to be an expert in data protection matters, report directly to the highest level of management within the organisation, and act as the first point of contact for supervisory authorities and individuals whose data is processed by the company. It would therefore be difficult for a company to appoint a DPO from within its own senior management ranks who does not have a day job which involves some responsibility over data processing activities.
Whilst the decision from the BEDPA is subject to appeal and could therefore have good chances of being overturned, it is not the only European data protection regulator to have taken steps to ensure the independence of DPOs. The Hellenic Data Protection Authority (HDPA) recently ruled that DPOs should not represent their organisations in regulatory investigations before the HDPA. The reasoning for this is that internal advice provided by DPOs to their employers is not binding, therefore, that may put them in the position of having to defend organisational decisions which they advised against or even opposed.
The recent decisions by the BEDPA and the HDPA appear to make appointing an internal DPO challenging. This is particularly relevant for SMEs who may not have the same internal resources as their larger counterparts who can potentially afford to dedicate an individual solely to the role of DPO, without other duties. However, the very conservative nature of these decisions potentially cut across the GDPR, which expressly permits DPOs to undertake other tasks and duties; the EDPB also recognises that the question of whether a conflict of interest exists should be assessed on the facts on a case-by-case basis. There are also some steps that can be taken to mitigate any potential fallout from a DPO appointment: first, all data controllers who make an internal DPO appointment should document the analysis that led to the decision. This should identify the positions and functions that would be incompatible with the role and activities of their DPOs and implement internal processes to ensure the separation of functions and responsibilities so that conflicts of interest do not arise. On the other hand, an efficient alternative to making an internal appointment is to engage an external specialist, an approach which is specifically permitted under the GDPR. This has the potential to significantly reduce the risk of conflicts of interest that internal appointments can create.
Over time we hope to see regulators taking a more balanced approach in their rulings on DPO conflicts. In the meantime, those organisations who need or want to appoint a DPO should take all necessary precautions to ensure that the decisions they make – whether looking at appointing an internal or external DPO – are well-considered and that they have done the analysis to prove it.