Organisations that are in the process of appointing a DPO (data protection officer) need to tread very carefully in selecting the right candidate for the job.
In 2019, a well-established German company was among the first to be fined locally for violating data protection laws by appointing a DPO who also held an IT manager position in the company. More recently, however, in April 2020 – the Belgian Data Protection Authority (DPA) fined a company €50,000 for non-compliance under Article 36 (6)of the EU GDPR, for appointing a director of audit, risk and compliance as the company’s DPO.
This decision lays out in clear black and white the fact that any company hiring a DPO must limit the role solely to the DPO’s responsibilities only and not ‘utilize’ his/her skills in a manner which results in conflicts of interest.
Companies with budgetary woes, for instance, must not risk falling into this trap – i.e. assigning their DPO a role other than what they are hired to do such as an IT manager, legal counsel, director of internal audit or risk management, etc.
What are companies’ obligations under GDPR for hiring a DPO?
With the new UK GDPR guidelines already in effect, it has become crucial for organizations of all scales to hire a competent DPO.
However, trained specialists in this field are hard to come by and local companies often make the mistake of appointing one of their existing employees as a DPO. This can lead to conflicts of interest and even though it seems like a practical and wise investment to do so, the risks and repercussions could see companies paying thousands of euros in fines.
With that said, however, companies are not entirely barred from appointing a DPO internally. For example, as long as the professional duties of the newly appointed DPO are completely in-line with those of a DPO and, more importantly, do not lead to any conflicts of interest, an existing employee can be appointed as one.
Just to quickly reiterate, if the internal DPO is already overseeing, managing or directing a specific department, appointing him/her as a DPO is asking for trouble – it may lead to heavy fines as it is a conflict of interest according to GDPR guidelines.
It’s important to understand what the legal requirements are for the role of a DPO:
Independence
GDPR law states that the DPO (whether appointed internally or externally) must work independently and without any instruction from the company head, director or manager in regards to how the DPO tasks are carried out.
Companies must not tell DPOs how to interpret data protection law, how to investigate a data privacy complaint, or when to consult the ICO, for example.
Zero conflicts of interest
The majority of senior positions in a company such as CEO, COO, CMO, CFO, head of IT, head of HR, etc. have a direct conflict of interest with a DPO position.
In closing: Outsourcing DPO is a great option
In accordance with GDPR law, companies can outsource the DPO function. This can often prove to be a profitable decision because access to a competent and experienced specialist can be had while achieving a key objective: zero conflict of interest.