Is your DPO really independent?
The Belgian Data Protection Authority recently fined a company EUR 50 000 for not having an independent Data Protection Officer and for not involving him in breach handling.
The registered number of Data Protection Officers ("DPOs") has increased tremendously after GDPR and the DPOs are doing an important and difficult job. Even companies not obliged to have a DPO, often choose to have a DPO because the role builds trust and credibility with both customers and employees.
So, what may you expect from your DPO? Are they useful? The business must, and will, expect commercial-minded advice, at the same time taking the regulatory framework into consideration. This is no easy task to balance.
In real life, the usefulness of the advice from your DPO depends on the theoretical and practical knowledge of the DPO. It also depends on the resources the DPO have and it depends on what other ties is on the DPO. The European Data Protection Board have had a lot of focus on this latter aspect and the advice is very clear: make sure the DPO is independent. We take the liberty of rephrasing this to: Make sure the DPO is as independent as possible. Few are entirely independent.
The reason for this is simple – the job of the DPO is also to be a watchdog. To tell when something is not according to the book. The DPO cannot do that properly if the DPO himself have decided on important issues of the set-up in the business. It is very difficult to criticize activities that you yourself have been active in deciding.
This implies that there are many roles in the business that the DPO cannot have. For instance, the DPO cannot be the person deciding on procedures for handling customer data, or deciding what information security tools shall be invested in or being in charge of handling HR-data.
It is not surprising that the data protection authorities have focus on this. Even more so, as it is an easy task to control this, it does not take many resources for the DPA. The recent fine in Belgium to a leading Belgian telecom, Proximus, is the first large fine on this subject. Proximus was fined for breaching Article 38(6) where it says that the DPO actually may fulfil other tasks and duties, but only when this does not result in a conflict of interests. This responsibility to ensure this is on the employer of the DPO.
In the case of Proximus, the DPO worked as director of internal audit, handling risk management and compliance. Proximus argued that those roles were advisory by nature, but were not heard with this. Further, they were also fined for not involving the DPO sufficiently in handling personal data breaches.
Deciding what role in the business that may act as DPO is important given the formal requirements on the role. One must balance knowledge with conflicting interests. This is also the reason that some companies does not only have a Data Protection Officer that is bound by principle of independence, but also a data protection director that does not have such formal restrictions. If that is not possible, it may be wise to have an external DPO.
Following this decision it may be wise to reconsider if you have placed your DPO properly in the business. It may also be wise to assess if you really need a DPO – maybe you really want a privacy director or an external DPO. And – if you have a properly placed DPO – do make sure you involve them correctly in breach handling.