DPOs and conflict of interests
EU Court of Justice says businesses should conduct assessment
I was recently mulling over with colleagues whether someone could be both the CEO and Data Protection Officer, along with another client query about whether someone could wear two hats; Consumer Services Manager and DPO.
UK/EU GDPR specially tells us a DPO ‘may fulfil other tasks and duties’, but says the controller or processor must make sure ‘any such tasks and duties do not result in a conflict of interests’.
So, I read with some interest the recent judgement from the EU Court of Justice about the role of a DPO and the risk of a conflict of interests. (Albeit, it probably doesn’t say any more than we already suspected).
The court confirms, DPOs should be ‘in a position to perform their duties and tasks in an independent manner’. This means they should not be carrying out tasks or duties with would result in them determining the objectives and methods of processing personal data within the organisation.
Where an individual may have two, or multiple roles (including DPO), organisations are urged to make an assessment of whether there’s a potential conflict of interests. This should be done on a case-by-case basis taking into account all relevant circumstances, including organisational structure.
What matters is what happens in practice. If a DPO has two roles, the organisation needs to make sure there are clear rules in place to avoid, or limit, any conflict of interests arising. (And it’s not the DPO’s job to try and resolve this).
If a DPO’s other job means they have responsibility for the data processing itself, there’s likely to be a conflict. But, in practice this may be a difficult line to draw.
The law also tells us a DPO cannot be dismissed for or penalised for performing DPO tasks. However, DPOs could be dismissed from the role if they are unable or no longer able to carry out their duties and tasks in an independent manner.
So, can a CEO also be a DPO, probably far from ideal. Can a Customer Service Manager also be a DPO? Possibly, if the different roles are clearly defined.
The European Data Protection Board’s DPO guidance gives us a bit of a steer. This says conflicting positions within an organisation may include; ‘senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments)’. This may extend to ‘other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing’.
Clearly if you’re a smaller business, but judge you should have a DPO, it may be prove challenging to appoint a suitable person where a conflict doesn’t arise with limited numbers to chose from. One would hope any regulator would take size and resources into account.
It’s probably a good idea to follow this judgement and conduct an assessment. Clearly set out what different role’s entail, document your decision and be ready to defend if you have to.
With all of this it’s worth remembering;
- the law sets out specific tasks and duties a DPO must perform
- not every business needs a DPO!
Read our DPO myth buster covering who needs a DPO and what the role entails. And don’t forget changes may be on the horizon under the UK Data Protection and Digital Information Bill. This could require UK businesses to appoint a ‘Senior Responsible Individual’ for data protection.