Out-Law Analysis 6 min. read
07 Sep 2017, 12:33 pm
Potential conflicts of interest and an inability to act independently may preclude some CPOs from serving as DPOs under the new regime.
Guidance issued by data protection authorities in Europe contains advice to help businesses that are obliged to appoint a DPO under the new regime to understand whether their CPO can take on the role alongside their existing job.
Although not explicit on the concept, the guidance suggests some CPOs will be ineligible to perform the tasks of the statutory DPO role under the GDPR due to the nature of their existing role, particularly where CPOs are responsible for implementation of their employers' data processing activities, or where they are responsible for the procurement, implementation or the championing, of systems through which data processing will take place.
The duty to appoint a DPO under the GDPR
Under the GDPR, many organisations, including most public bodies, will be obliged to appoint DPOs.
Businesses whose "core activities" consist of data processing which "by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale" are required to appoint a DPO under the Regulation, as are those whose "core activities" involve processing special categories of personal data and personal data relating to criminal convictions and offences on a large scale.
There is also scope for each EU country to specify other circumstances in which a DPO would need to be designated. New data protection laws in Germany, for example, require every business with 10 or more employees that permanently process personal data to appoint a DPO. Further circumstances where DPOs would need to be appointed are also stipulated in the legislation.
A new UK Data Protection Bill, scheduled to be published this month, could also address the issue of appointing a DPO.
The duties DPO are obliged to perform under the GDPR
The GDPR is explicit about the duties DPOs are required to perform. They include informing and advising organisations and their employees of their data protection obligations when processing personal data, monitoring the organisation's compliance with the GDPR and internal data protection policies, providing advice on data protection impact assessments, and liaising with, and acting as a contact point for, data protection authorities, including in reporting data breaches.
Businesses must ensure DPOs are "designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices", as well as their ability to fulfil the tasks required of them under the Regulation.
DPOs can be a member of staff or perform their duties "on the basis of a service contract".
The way DPOs should carry out their tasks and be allowed to operate
As well as setting out the duties that DPOs must fulfil, the GDPR sets out conditions on the way in which DPOs should be allowed to perform them.
Organisations are obliged to ensure DPOs are "involved, properly and in a timely manner, in all issues which relate to the protection of personal data" and have the "resources necessary" and access to the personal data and processing operations to carry out their tasks, and maintain their "expert knowledge".
In addition, the GDPR requires that DPOs operate independently and without instruction from their employer over the way they carry out their tasks. Organisations are prohibited from dismissing or penalising DPOs for performing their tasks under GDPR and they must ensure that DPOs report directly to "the highest management level" in the organisation.
While the GDPR allows DPOs to "fulfil other tasks and duties", organisations are obliged to ensure that there is no "conflict of interests" between those activities and the formal duties prescribed under the Regulation.
The guidance issued by EU data protection authorities
The concept of the independence of DPOs and the potential conflicts of interest that could arise when DPOs perform dual roles are addressed in guidance issued by the Article 29 Working Party earlier this year.
The Working Party is a committee made up of representatives from national data protection watchdogs from across the EU.
On the autonomy of DPOs…
The Working Party said that the provisions of the GDPR make it clear that organisations must not tell DPOs how to "deal with a matter" relating to their formal tasks under the Regulation. This, they said, includes instructing the DPOs on "what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority". Nor can businesses tell their DPO how to interpret data protection law, it said.
The Working Party also said that businesses are free to ignore the advice of DPOs as they remain "responsible for compliance", but they must ensure that DPOs are able to "make his or her dissenting opinion clear to the highest management level and to those making the decisions".
On conflicts of interest…
In its guidance, the Working Party set out a list of roles that it would consider would be "conflicting positions". In that regard, "as a rule of thumb", a person taking on the tasks of a DPO would not be able to do those other jobs, it said.
However, it qualified this by stating that a "case by case" assessment would need to be made.
Chief executives, chief operating officers, chief financial officers, chief medical officers, heads of marketing department, heads of human resources and heads of IT departments are likely to be ineligible for performing the tasks of a DPO alongside their main role, according to the Working Party's guidance.
It said "the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data", and said that this could preclude other senior executives as well as people performing "other roles lower down in the organisational structure" from taking on the role of DPO under the GDPR.
The Working Party has encouraged each business to "identify the positions which would be incompatible with the function of DPO". It said they should also consider drawing up "internal rules" for avoiding conflicts of interest and more generally set out what those conflicts may be.
It also urged organisations to "declare that their DPO has no conflict of interests with regard to its function as a DPO".
Can CPOs be said to operate independently and without conflict?
Within some large organisations, CPOs have an important role to play in implementing policies that dictate how personal data is processed, how it is accessed and the way in which it is stored. They are often the executive on the hook internally for sound data protection and security practices.
To that end CPOs can become engaged in a wide variety of activities. They will generally oversee and sign off projects that involve the processing of personal data, and they will often lead boardroom discussions on how data processing activities should be designed, and get involved in the procurement of technology and systems to implement that processing, or otherwise help shape the business' engagement with technology suppliers over the nature of data processing activities being outsourced.
Often, CPOs will externally act as a champion of the policies and practices that the business deploys, whether that's endorsing the availability of new technology or processes in marketing materials, or publically defending data protection policies or practices in light of criticism from regulators, the media or other stakeholders.
In many respects, CPOs would be the obvious choice to take on the role of DPO under the GDPR. The knowledge and expertise CPOs typically have would lend itself to the performance of tasks DPOs must undertake.
However, as the Working Party's guidance and the GDPR itself makes clear, there are reasons to doubt whether CPOs could perform the DPO tasks independently and without conflict.
How could they, for example, provide independent advice on data protection and issues of compliance in their role as DPO if they are simultaneously responsible for, say, new products or services - and determining the associated purposes and means of processing in the context of being responsible for these, and/or are involved in selecting, implementing or championing the associated technology, systems or processes?
Businesses should assess to whether they are obliged to appoint a DPO under the new Regulation, and give careful consideration to the requirements that DPOs act independently and without conflict when performing their formal tasks.
Marc Dautlich and Paul Greaves are experts in data protection law at Pinsent Masons, the law firm behind Out-Law.com.