When appointing a Data Protection Officer, GDPR states that the role may be carried out alongside other work duties. It is the responsibility of the controller to make sure that the designated DPO is acting in an unbiased manner, free from undue influence or pressure when carrying out his DPO duties. The European Data Protection Board has advised, as “rule of thumb”, that certain job roles are in conflict with the tasks of a Data Protection Officer: “chief executive, chief operating officer, chief financial officer, chief medical officer, head of marketing department, head of Human Resources or head of IT departments”. This does not leave many senior job roles to choose from, with the entire management team potentially being conflicted out for many companies.
It is important, then, to remember that other priorities may override the rule of thumb about conflicted roles, for example the DPO needs to be sufficiently senior to make themselves heard at a senior level of the organisation. The DPO should be “invited to participate regularly in meetings of senior and middle management” and his or her opinion “must always be given due weight.” As described, this is not a junior position. They should also have detailed knowledge of the company’s culture, activities and organisational structure. These factors are equally important to the requirement that the DPO be an unbiased position.
Working with a conflict of interest
Data Protection Consulting’s DPO support package includes measures for managing the risk around conflicts of interest in the DPO role. We recommend an open culture of discussing any conflict of interests which may arise, documenting how and why they occur and what solutions are used to minimise the risk from being conflicted.
One approach is to provide the DPO with a “mentor”, an independent adviser with whom they can discuss the role and any issues around impartiality. This person might be a colleague from a different organisational area of the company, a DPO from another organisation with whom contacts have been developed or external advisor such as an independent consultant. The important thing is that they can offer an impartial view and input to the role. Don’t forget to document these discussions, together with the overall process to handle the conflict, to ensure you meet accountability standards.
For help with GDPR compliance or the set up and monitoring of the DPO role contact us now at firstname.lastname@example.org