Blog

Beware of Potential Conflicts: Should Your Organization Appoint an IT Director as a Data Protection Officer?

**Reproduced from the International Journal for the Data Protection Officer, Privacy Officer, and Privacy Counsel, availabe here

By Jordan L. Fischer, Esquire, Managing Partner, XPAN Law Group, LLC and Michael A. Shapiro, Esquire, XPAN Law Group, LLC

Since the enactment of the European Union’s General Data Protection Regulation (the “Regulation”), the Data Protection Officer (“DPO”) requirement has been discussed ad nauseum. Professionals from numerous disciplines (legal, compliance, IT, etc.) all rushed to fill these now numerous roles across organizations of all sizes and shapes in Europe and the United States. But, what does it really mean to be a DPO? And, is your IT Director the best position to fulfil that role?  This article explores these questions.

The Role of the DPO

The Regulation requires that a DPO perform a number of tasks within an organization including (i) informing and advising company’s employees who carry out processing of their obligations pursuant to the Regulation, (ii) monitoring compliance with the Regulation in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits, (iii) providing advice regarding data protection impact assessments and monitoring its performance, (iv) cooperating with the supervisory authority; and (v) acting as the contact person for the supervisory authority on the issues relating to processing. See EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1, Art. 39(1)(a)-(c). 

Furthermore, in performing these tasks, the DPO must have “due regard for the risk associated with processing operations, taking into account the nature, scope, context, and purposes of processing.” See id. at Art. 39(2).

As part of the DPO requirement, the Regulation mandates that the DPO “be in a position to perform [his or her] duties and tasks in an independent manner.” See GDPR Recital 97; see also European Data Protection Supervisor, “Data Protection Officer (DPO)” [hereinafter, “EDPS, DPO”], available at https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en (last visited Apr. 15, 2019). Thus, the DPO cannot receive instructions from the organization regarding exercise of his or her tasks, and cannot be dismissed or penalized for performing these tasks. See GDPR, Art. 38(3). Additionally, it is the organization’s responsibility to ensure that the DPO’s performance of his or her duties does not result in a conflict of interest, therefore jeopardizing the DPO’s independence. See id. at Art. 38(6).

Potential DPO Conflicts

The DPO’s oversight and enforcement responsibilities coupled with the requirement for the DPO’s independence, place the DPO in a position of a quasi-regulator and a conduit of a Supervisory Authority.  Unlike other company officers who are obligated to act in the best interest of a corporation and its shareholders, the DPO’s primary fiduciary responsibility is arguably to the principles stipulated by the Regulation, and to upholding the Regulation above and beyond the interests of the company.  

The European Data Protection Supervisory (the “EDPS”) expressly states that “[t]here must not be a conflict of interest between the duties of the individual as a DPO and her other duties, if any.” EDPS, DPO. Further, the EDPS provides a list of recommendations to minimize the risk of a conflict, including that:  

  • the DPO should not also be a controller of processing activities (for example if he or she is head of Human resources);
  • the DPO should not be an employee on a short or fixed term contract;
  • the DPO should not report to a direct superior (rather than top management);
  • theDPO should have responsibility for managing his or her own budget.

Id. As part of the independence provided to the DPO, there must be sufficient resources provided to the DPO (personnel, financial, and investigatory) that will support the DPO’s role.

IT Director as a DPO

As required by the Regulation, the DPO is responsible for monitoring decisions and activities of an IT director for compliance with the Regulation and cooperating with the Supervisory Authority in investigating security breaches and regulatory violations.  Inviting an IT director to self-regulate as a Data Protection Officer is a classic “fox guarding the henhouse” conflict of interest, and in itself a likely violation of the Regulation.

In October of 2016, the Bavarian Data Protection Authority (BayLDA) found such a conflict under the German Federal Data Protection Act (FDPA)See Germany: Data Protection Officer Must Not Have a Conflict of Interests,  Baker McKenzie Global Compliance News, available at https://globalcompliancenews.com/germany-data-protection-officer-conflict-of-interest-20161121/ (last visited April 15, 2019). Pursuant to the FDPA, a DPO is an independent authority who works in the company to comply with data protection and must not have duties which conflict with his or her obligations under the Act.   The BayLDA concluded that the position of an IT manager conflicts with the DPO’s monitoring obligations because the DPO would be required to monitor himself, i.e. to self-regulate.  In the BayLDA’s view, “[t]he DPO cannot fulfill [his responsibilities under the FDPA] if he also has significant responsibility for data processing process.” See BayLDA Press Release, dated October 20, 2016, available at https://www.lda.bayern.de/media/pm2016_08.pdf (German only) (last visited April 15, 2019).

In its Guidelines on Data Protection Officers adopted on December 13, 2016,  the Article 29 Working Party similarly concluded that the DPO “cannot hold a position within the organization that leads him or her to determine the purposes and the means of processing of personal data.” See Article 29 Working Party, ‘Guidelines on Data Protection Officers (‘DPOs’) (WP 243, 13 Dec. 2016), at 15 ,  available at https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf (last visited April 15, 2019). The Article 29 Working Party listed a head the IT department as a “rule of thumb” position which may conflict with the DPO’s responsibilities but cautioned that a conflict of interest issue must be considered on a case-by-case basis in each organization. Id. at fn. 34. 

Another potential tension point arises from the fact that the scope of data protection, the DPO’s domain, is much broader than data security, the area of IT’s responsibility. In addition to data security, GDPR-compliant data management requires an organization to consider issues of data collection, use, sharing and handling.  The DPO must have a perspective beyond technical data protection to guide the organization in making decisions on these matters. For example, the organization and the DPO performing a data protection impact assessment would need to consider the nature, scope, context, and purpose of processing before addressing specific technical safeguards within the purview of the IT department.

In light of the requirements of the DPO position, and its potential conflict with the responsibilities of a traditional IT Director, an organization should carefully consider whether an IT Director can sufficiently and effectively serve both roles within an organization.  With the distinct independence requirements of the DPO, it is likely that an IT Director would not sufficiently be able to remove herself from the day-to-day operations to provide the oversight required to appropriately assess the data protection compliance infrastructure required by  the Regulation.

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.