The Belgian Data Protection Authority (Autorité de protection des données Gegevensbeschermingsautoriteit) recently issued a €75,000 fine to an unknown Bank for violation of Article 38(6) of the General Data Protection Regulation (GDPR).
Although the amount of the fine might not be as groundbreaking as some others, it might be interesting to know that appointing a Data Protection Officer (DPO) who performs other tasks in the organization can prove to be a double-edged sword.
In this particular case, the DPA found an issue with the position of the DPO within the organization and identified conflict of interest and violation of Article 38(6):
“The data protection officer may fulfill other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.”
The Belgian DPA identified a conflict of interest between the DPO’s responsibilities and other duties within the Bank.
The DPO was performing the duty of a different head of a department (Head of the Operational Risk Management, Information Risk Management, and Special Investigation Unit departments) to which he had to report in his capacity as data protection officer, which DPA concluded was in a material conflict of interest.
How to prevent conflict of interest in your organization
Although DPO may perform other duties within the organization, you want to ensure that any other roles do not result in a conflict of interest.
In order to avoid similar situations, you can follow few guidelines:
- Assess the tasks and duties of the appointed DPO
- DPO should not be a controller of the processing activities
- DPO should not perform in senior management positions (CFO, CEO, Head of Marketing, Head of HR, and similar roles)
However, the prior decisions on the same matter showed that the DPA can have a very broad interpretation of the conflicting roles that include far more roles than described in the WP29 guidelines, including any head of the department in the organization.
It might become difficult for organizations to try and combine two or more roles, including DPO, in one single person for more than one reason.
First of all, different roles within an organization can be involved in determining the means and purpose of processing, not just the department heads.
The second reason hides behind the authority and independent role that the DPO should embody.
DPO should operate independently, with full support from upper management and the Board, and have access to all needed resources to do the job according to best practices, and sometimes this can be in conflict with the lower role the potential DPO already has.