Does your DPO have a Conflict of Interest?
Your DPO should be knowledgeable, experienced and qualified, but also independent. See how companies have fallen foul of the GDPR by appointing execs who are ideally placed for all but the last requirement, and how strictly regulators have responded.Talk to us
What is a DPO?
Unlike many other areas of compliance, data privacy adherence is not something that can be audited once and then presumed to continue for the foreseeable future.
Data is the most voluminous, mobile, essential and potentially dangerous asset any business owns. It is created, deleted and interacted with constantly, often in new ways by new individuals.
A point in time audit is simply not suitable for continuous oversight of how data is treated.
It is this unavoidable truth that led the GDPR legislators to require organizations that process the most data, and/or the most sensitive data, to ensure that the interests of the data subject are continually and adequately represented in any and all data processing. Hence, the mandated requirement for the Data Protection Officer (DPO).
Under Article 37, DPOs are a mandated requirement if:
- You are a public authority or body
- You are an organisation whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale (e.g. online behaviour tracking)
- You engage in the processing of large volumes of special category data, or data related to criminal offences and convictions
The DPO’s tasks are outlined in Article 39 of the GDPR as:
- To inform and advise the business and its employees of their GDPR obligations.
- To monitor and audit compliance with the GDPR and the business’ data processing policies, including the assignment of responsibilities, awareness-raising and training of staff.
- To manage data protection impact assessments, and monitor their outcomes.
- To cooperate with and serve as the contact point for Supervisory Authorities.
Appointing a DPO internally
Many mandated businesses have dutifully appointed their DPO. They have consciously sought to avoid the expense, time and difficulty of hiring a new head, and distilled the requirements and responsibilities to their raw essences and found a person internally who:
- Understands the way the company ingests and uses data
- Has the standing and breadth of involvement in the business to appreciate every data workflow
- Is experienced in the administrative, legalistic and monitoring sides of compliance
- Is senior and credible enough – as the GDPR requires – to interact with, advise and perhaps argue with the highest levels of the business
This seems suitable. The rights and interests of the data subjects appear to be best protected by a person who has this experience and background, and who can monitor the organization’s activities and ensure their adherence to the rules and the sentiment of GDPR, such as the CIO, CISO, Head of Compliance, Head of Legal, even the CEO.
These organizations seem to be acting in totally good faith. After all, Article 38(6) even allows the DPO role to be secondary role on top of day-to-day operations.
But they have forgotten an underlying principle of the GDPR: the DPO must be independent.
By expecting someone who also has responsibility for the management, oversight, strategy or security of data and how it is processed (i.e. a data controller), to also scrutinise, critique and object to those same processes on behalf of data subjects is creating a conflict of interest.
It is like asking students to mark their own homework. As much as they may be obliged to remain impartial, they have their own obligations, objectives and interests that prevent them from being completely and undeniably impartial.
No matter how ethically they may think they act, it represents a compliance failure.
And legislators are hot on this. Most Supervisory Authorities, including the UK’s Information Commissioner’s Office (ICO), have issued specific guidance on how to avoid conflict of interest. While this proactive support shows that the SAs intend to help businesses avoid making this error, the flipside is that it also means they will not tolerate failure.
Indeed, fines have started to be handed to firms who overstep, intentionally or otherwise. A prime example is a E50,000 penalty for a Belgian telecoms operator whose DPO was also their Head of Compliance, responsible for the compliance, risk management and audit functions. Dispassionate and independent review of their data protection processes from a data subject’s perspective versus the business’ was deemed impossible.
The whole point of the DPO is to stand apart from the interests of the business and be the voice of the data subject.
How can any of these roles – all of which put the interests of the business first – be compatible with a second role that expects them to demand the business undertakes specific actions that will protect the interests of the data subject? Or even to spot the need for additional actions. External perspective is often key.
Should you outsource your DPO?
A company must appoint a DPO who is free to operate independently. There should be no pressure from management, or risk of insufficient perspective on data-centric processes or strategies that may jeopardize the continuous privacy of personal data.
If you suspect your current internal DPO appointment is putting your GDPR adherence at risk, then you should consider making a change soon.
How Calligo can help
Calligo’s expert and highly-qualified data privacy consultants, who each have a unique mix of legal, technical and infosecurity expertise, are ideally suited to serve as your outsourced Data Protection Officer.
Our DPO as a Service clients range from SME to the largest enterprises, span every sector, multiple geographies and privacy regulations, and process some of the most sensitive categories of data.
Our experts provide ongoing monitoring and audits of the collection and processing of personal data, plus staff training to ensure our clients’ total and ongoing protection. They also represent your organization to both data subjects and Supervisory Authorities .
To find out more about our Data Protection Officer as a Service, click the button below and speak to our expert Data Privacy ConsultantsTalk to us