Belgian Data Protection Authority fines company €50,000 in relation to Data Protection Officer conflict of interest.
I have waited for the dust to settle a little on the recent GDPR fine handed down by the Belgian DPA before commenting.
According to the data protection authority, the company's Data Protection Officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (Head of Compliance & Risk and Head of Audit), which led the DPA to the conclusion that the company's DPO was not able to work independently.
This may have major repercussions for any organisation that bolted on the role of the DPO to an existing role. Art. 38 (6) of the GDPR states "The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests."
Furthermore, WP29 guidance has already states that "As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing."
I have seen a lot of commentary in relation to the fine and that it is at worst a bad decision or at best heavy handed.
XpertDPO have been very lucky to work with some great clients and we have completed a lot of internal GDPR compliance audits in organisations ranging from SME's to large multi-nationals to semi-public bodies.
We have never submitted an audit report without some form of pushback from the client, there has always been some follow up dialogue. Generally this is because the client may disagree with some points within the findings.
I have reflected over the past few days on this finding. The WP29 guidance on the role (quoted above) doesn't specifically name the role of head of audit / compliance but it does however name roles that are of a similar seniority within an organisation. An audit should be conducted from a neutral standpoint, giving an honest evaluation of the current state of compliance but in this instance, the DPO would be auditing the auditor, this alone should be cause for concern in my opinion, it's rather like marking one's own homework.
There are lots of unanswered questions in relation to the ruling and I am looking forward to learning more about this as the facts be one clearer.
What is clear is that this may create a significant headache to a lot of organisations that have just bolted the DPO role onto a pre existing senior role within the organisation.
If the above resonates and you need to review your DPO role, or you need assistance in assessing whether you need a DPO you can get in touch with us. Alternatively, if you do need a DPO we can provide that service. We have lots of happy clients and we can provide examples of our work and lots and lots of references.