Avoiding Conflicts of Interest in Selecting a Data Protection Officer
This article was covered by the Big Law Business, prepared by Christopher Schmidt, the Magister of Law, Independent Privacy Law Lecturer, Qian Li Loke of Straits Interactive; Luis Alberto Montezuma from the Colombia Data Protection Authority.
Appointing a designated data protection officer is crucial to an organization’s efforts to achieve operational compliance in data protection. Data protection analysts examine the scope of a DPO’s responsibility and look at main areas where a conflict of interest may arise.
Anyway, as regulators continue to push for a shift from compliance toward accountability, the discussion firmly places the spotlight on conflicts of interest (COI) that may emerge between businesses and their DPOs.
Data Protection Officer as a Key Figure in Accountability
There is a wide range of definitions of accountability. When it comes to data protection and privacy, accountability is a principle that entails appointing an individual that is called the DPO.
What are the responsibilities of a DPO?
- Developing and monitoring an organization-wide privacy management program to meet all obligations under applicable regulations.
- Its resources must be identified and adequate since the data protection management program is essentially an enterprise-level risk management program.
Every DPO must be recognized as independent by the top management, which allows them to perform their tasks such as conducting compliance checks and post-breach investigation as among the top without having to receive any instruction.
Approaching Conflict of Interest
From a synopsis of recent public guidance, notably by the European Data Protection Board, the State Data Protection Commissioner of Baden-Wuerttemberg, the Danish Datatilsynet, the Information Commissioner’s Office, and the Belgian Gegevensbeschermingsautoriteit, one may distinguish three types of COI where DPOs may have their hands tied by their organization, which will be briefly discussed in the following:
DPO-Boss – Where a DPO faces competing interests when being in a senior management position that implies decision-making on the purposes and means of processing – this is competence in which under most data protection laws is strictly assigned to the data controller and its representative bodies.
Overconfidence with an “I-Trust-Myself” Attitude Type of DPO – This is similar to the first group. The conflict of interest arises when internal and external DPOs have to self-monitor their own activities and compliance. Take note that DPOs cannot be both judges and judged. Even IT managers or systems administrators that do not belong to the top management, may decide on an essential area of IT structures, but they cannot be accepted as DPOs.
Shortcomings will lead to fines even before the GDPR Compliance became fully applicable.
DPO-of-All-Trades and a Master of None – DPOs face competing for interests when they draft the entire data processing documents without any significant involvement of the organization, or when they respond to requests from data subjects on their own authority. The Authority concluded that the DPO was not entitled to take the data subject’s email address from the distribution list which would rather have been the task of the data controller under Article 17 GDPR Compliance.
Avoiding and Handling of COI
Irrespective of how COI may emerge in an organization, both controllers and processors are encouraged to adopt a declaration by which they commit themselves to detect and resolve COI from the outset.
The declaration should list all existing roles within the organization that are incompatible with that of the DPO and include a transparent, rapid procedure or identifying such conflicts in the future.
However, when in doubt, an assistant DPO or any suitable member of the Data Protection Committee should be available who may take over further communication and cooperation with the business partner towards whom the DPO may be biased.