Should all Heads of Compliance/Legal step down as DPO, following the Belgian DPA ruling?
Locations
For many organisations, the appointment of the DPO has been one of the more complicated requirements to deal with under the GDPR. The detailed description of the workload, the high requirements in terms of expertise, but also the expectations of the Article 29 Working Party guidelines in terms of availability and language skills put the bar very high. Add the fact that this function did not exist in most EU Member States and/or organisations, creating a huge demand for the limited number of people that met the legal requirements, and it is clear that many organisations have had huge issues finding the right person for the job.
It is therefore no wonder that many organisations decided to appoint the DPO from within the organisation. After all, article 38.6 GDPR expressly allows organisations to appoint a DPO who fulfils "other tasks and duties" as long as it does not result in a conflict of interest.
The Article 29 Working Party elaborated further on this principle in its Guidelines on Data Protection Officers: A conflict of interest will exist in situations where a DPO holds a position within the organisation that leads him or her "to determine the purposes and the means of the processing of personal data". Although the Article 29 Working Party acknowledged that this assessment is done on a case-by-case basis, as a rule of thumb, it identified senior management positions such as CEO, COO, Head of Marketing, Head of HR or Head of IT as conflicting positions.
As a result of these guidelines, hundreds if not thousands of organisations who did not require a full-time DPO opted to appoint their head of compliance or head of legal as DPO.
This seemed logical. People in these positions could easily become "experts in data protection law" (art. 37.5 GDPR), if they were not already. They typically have a lot of affinity with legal compliance and how it is implemented in practice. Furthermore, in their role as head of legal/compliance, they are not involved in the decision-making for key data processing activities (such as HR data, customer data, patient data, etc.).
Based on the latest decision of the Belgian DPA, all these organisations run the risk of fines, having demonstrated a "high degree of negligence" in appointing their head of compliance/legal as DPO.
2. Belgian Data Processing Authority ruling
Following an investigation triggered by a data breach, the DPA's Inspection Service alleged that the defendant did not comply with article 38.6 GDPR because it appointed its Head of Compliance, Risk and Audit as DPO.
The defendant argued that there was no conflict of interest between these roles, to the extent that the DPO was not involved in any decision-making around the processing of personal data.
The DPA disagreed, pointing out that in its capacity of Head of Compliance, Risk and Audit, the DPO was the end-responsible for the processing of personal data in the context of the organisation's compliance, risk and audit activities. As a result, the DPA ruled that it was impossible for the DPO to exercise any independent oversight on these processing activities.
On the basis of the fact that "the concept of the DPO is not new and has been existing since long in many Member States and many organisations" (although it did not exist in Belgium before the adoption of the GDPR), the DPA's Dispute Chamber concluded that in combining these roles, the defendant acted with a "significant degree of negligence".
The defendant was convicted to resolve the conflict of interest and was fined an amount of 50.000 EUR. The amount of the fine may seem insignificant (approximately 0.001% of annual turnover) but it is by far the highest administrative fine imposed by the Belgian DPA so far.
3. Our view on the ruling
According to the Belgian DPA, there can be no doubt about the fact that "the combination of the role of DPO with that of being the Head of any (!) department that is subject to the DPO's oversight prevents the DPO from acting independently".
It is difficult to agree with such a strict interpretation of the concept of 'conflict of interest', which is much more severe than that adopted by the Article 29 Working Party's in its Guidelines on DPOs.
The Belgian DPAs ruling makes it almost impossible to combine the role of DPO with any other function within an organisation: Put your DPO too high up in the organisation, and the DPA may claim that he/she is also deciding on the purposes and means. Put the DPO at a level which is too operational, and the DPA might argue that he/she is too involved in the actual processing activities (or that he/she is not able to report directly to senior management).
In our view, the DPA's Dispute Chamber also fails to properly motivate why the defendant's DPO Charter would not allow it to deal with potential conflicts of interest in an appropriate manner.
Finally, it seems the DPA sanctioned the defendant on the basis of a hypothetical conflict of interest, as the facts underlying the case did not relate to any processing activity by the compliance, risk or audit departments.
Considering these elements, this decision strikes us as being overly dogmatic and not in sync with the reality on the terrain.
Should the defendant decide to appeal this decision, we therefore expect there is a good chance the Brussels Court of Appeal will quash the DPA's decision.
4. What does it mean for your organisation?
Does this decision create an absolute prohibition to appoint your Head of Legal or Head of Compliance (or any Head for that matter) as DPO? We believe it should not necessarily be the case. Surely, the Belgian DPA's decision sets a precedent (even if it is still subject to appeal).However, the adoption of a solid procedure that allows you to deal with conflicts of interest in those limited cased where an actual one may arise, should allow you to address the issue. This does require that your back-up DPO also meets the legal requirements and is able to act independently from the DPO that is conflicted out.
For smaller companies having adopted a DPO who combines the role with other functions, this may be a practical challenge that is difficult to overcome. Possibly, the only thing that is clear at this stage is the fact that this decision will cause many organisations serious headaches.