Companies required to appoint a data protection officer (DPO) should carefully consider which candidate is best to select for the job.
Last year, an established company Germany, was fined local data protection authority for appointing a DPO who at the same time held an operational position as an IT manager. The appointment was deemed to create a conflict of interests between the two functions. This decision could potentially influence the interpretation of the upcoming EU General Data Protection Regulation (“GDPR“) and thus influence the appointment of DPOs by European companies.
Put simply, organisations must appoint a DPO if they engage in automated data processing. Automated data processing covers the collection, retention, analysis and/or sharing of personal data.
The DPO’s function is to monitor the company’s overall compliance with local and European data protection rules; the DPO cannot, however, issue mandatory instructions; rather, he or she can only assist the company to work towards data protection compliance. Companies may designate an internal or external individual as the DPO, provided that the individual is free from any conflict of interests.
Conflict of Interests for IT Managers
An IT manager generally has a significant stake in setting up, managing and influencing data processing activities within a company. Indeed, the IT manager often oversees the selection and deployment of IT assets and tools, which themselves can be the subject of investigations (or violations) of data protection compliance. Therefore, under GDPR a company's IT manager (or similarly, the Marketing Manager) could be viewed as ill-suited to serve as DPO. A DPO should be an unbiased, independent person without direct or personal interests in the operations of the company’s data processing.
In fairness, appointing an IT manager to the DPO position makes some intuitive sense. An IT manager is a practical choice given the general requirement that DPOs have sufficient IT expertise to capably monitor the data privacy compliance of IT operations (which may include issues like international data transfers and security). This closeness in function, however, itself creates a possible conflict of interest, jeopardizing the necessary independence of the DPO. The problem is that the IT manager, by occupying both roles, may be placed in a position where he or she may be asked to evaluate the precise IT infrastructure and systems for compliance with data privacy laws that he or she is responsible for in the first instance.
Potential Impact on Data Protection Officers Under the GDPR
The EU General Data Protection Directive (“GDPR“) contains provisions for companies to require DPOs where core activities either relate to the regular and systematic monitoring of data subjects on a large scale or encompass the processing on a large scale of special categories of data. It likewise requires that DPOs be independent and free from any conflicts of interest. As a result, it is likely that future interpretation of the GDPR rules and may lead to challenges if a DPO holds a role with a potential conflict of interest.
Should we change our DPO?
Companies required to appoint a DPO are well advised to carefully consider candidates that are free from conflicts of interest. While it does not appear necessary to preclude a DPO from having other corporate functions, the designated individual should not be in charge of, or have a personal stake in, significant decision-making relating to IT. One potential solution may be to “firewall” DPOs from such decision-making processes. Suffice it to say that this aspect of GDPR compliance will be scrutinized heavily by Data Protection authorities in the coming months and years.
If your IT Manager currently occupies both roles, it may be wise to train another member of staff who is not at risk of being accused of having a conflict of interest or alternatively a company may consider outsourcing the role ensuring independence and transparency. For many smaller companies, the expense of an additional staff expense either as an internal appointment or as an outsourced retained expense a GDPR Readiness Audit may help you answer those questions unique to your organisation.