In light of recent regulator action regarding Data Protection Officer (DPO) independence, this article considers the ethical and practical considerations surrounding the appointment of a DPO.
The fines and regulatory risk
On April 28, 2020, the Belgian Data Protection Authority (DPA) issued a €50,000 fine to an organization for appointing the head of compliance, audit and risk management as DPO. The Belgian DPA argued that combining these two roles creates a conflict of interest and violates Article 38(6) of the GDPR.
This decision is in line with earlier holdings where the Belgian DPA stated that DPOs cannot delete the personal information of a data subject themselves. All decisions regarding the data processing must be taken by the data controller with the advice of the DPO. The DPO’s role is to inform, advise, monitor compliance, and act as the contact for the supervisory authorities as well as for data subjects. The controller, on the other hand, makes the decisions on data processing, including data deletion.
Duties of a Data Protection Officer
These two decisions highlight important aspects of the GDPR and its requirement of an independent DPO. A DPO is expected to be an expert in all relevant regulations and be available to act as a point of contact between the organization and regulator. The DPO is also responsible for tracking compliance within an organization, collecting information on processing activities, ensuring that data processing satisfies GDPR requirements, and advising the controller and processor on these matters.
This extensive list of duties and responsibilities is only made possible when the DPO has the full collaboration of a wide range of departments and individuals within an organization, such as the head of IT, audit, compliance, and legal among others.