GDPR: Company fined $54,000 for lack of DPO independence

The only thing that seems to keep up with technology these days are the laws implemented to regulate its safe use. Although Europe’s GDPR has been in effect since 2018, recent guidance from Belgium’s regulatory authority will have companies questioning their state of compliance.

On April 28, 2020, the Belgian Data Protection Authority (DPA) issued a €50,000 fine to a company for non-compliance with the GDPR’s requirements related to the appointment and position of a data protection officer (DPO). Although the case is still under appeal, several findings are of note.

First, the DPA argued that the company had improperly appointed the head of the Compliance, Risk Management, and Audit departments to also serve as its DPO. Article 38(6) of the GDPR states that, “The controller or processor shall ensure that any such (other)tasks and duties do not result in a conflict of interests.” The issue here is that, when acting as the head of the Compliance, Risk Management, and Audit departments, this individual influences the purposes and means of processing personal data within that department. The creates a conflict of interest when simultaneously assessing and advising on the compliance of those activities with data protection law.

Head of Compliance, Risk and Audit not considered independent

While it may be argued that personnel serving in audit- or compliance-based roles serve an independent advisory function for the larger company, the Belgian authorities maintained there is a lack of independent oversight of the data processing that occurs within the Compliance, Risk Management, and Audit departments because the person in charge of that department was also tasked with assessing its compliance. As a result, it would be inappropriate to appoint anyone as a DPO if that person oversees or exercises managerial control of data processing activities. Considering that the GDPR has now been in effect for nearly two years, the defendant in this case was found to have acted with a “significant degree of negligence”, which ultimately cost them €50,000.

The logic of the finding is somewhat confusing. It is a bit like saying that a general counsel can advise on the legality of actions taken by other departments, but that an outside party would need to advise on the legality of actions taken by the Legal Department. A conflict of interest may clearly exist, but who else inside the company is best poised to advise on issues related to privacy compliance?

Should heads of departments act as DPOs?

The second issue to note is that the investigation that lead to this finding was triggered by a data breach notification. As COVID-19 continues to pose existential challenges to organizations, cybersecurity events and incidents are trending higher. When an incident inevitably does occur, companies should be confident that they have already considered every aspect of their data privacy program, under the assumption that the regulatory body will come asking questions about the full scope of their GDPR efforts.

According to the Belgian DPA, “the combination of the role of DPO with that of being the Head of any department that is subject to the DPO’s oversight prevents the DPO from acting independently”. This poses serious challenges to any company whose DPO also acts as a department head. In fact, it may prevent any internal employee from acting as the DPO. On the one hand, someone too high in the organization will influence the purposes and means of data processing within their department (or the organization entirely), which presents a conflict of interest. On the other hand, someone at a lower level may be too involved in the actual processing of data, in addition to lacking the ability to report directly to “the highest management level” as required by Article 38(3).

Is outsourcing your DPO an option?

The simplest approach to managing GDPR compliance may be to hire an outside party. This individual (or entity) can serve that independent advisory function without causing any conflict of interest issues that may be presented by simultaneously acting as an employee for the organization. DPO as-a-service is a practical and cost-effective solution for organizations that do not have the requisite data protection expertise and knowledge to fulfil their obligations under the GDPR or other privacy laws.

By outsourcing DPO tasks and duties to a managed service provider, you get access to expert advice and guidance that helps you to address the demands of the GDPR while staying focused on your core business activities. IT Governance USA offers a complete suite of DPO-as-a-service packages to suit your needs. Contact us at the link below!

IT Governance USA DPO as a Service
IT Governance USA DPO as a Service