Role of a DPO – Conflicts Of Interest
Jasmine Harrison
This article delves into the key responsibilities of a DPO, highlighting the importance of their independence from operational roles. We explore common conflicts of interest that can arise when individuals hold both DPO and operational positions.
Discover how to identify potential conflicts within your organisation and learn about strategies to protect the DPO’s impartiality. Read on to gain valuable insights into safeguarding your organisation’s data protection compliance.
Introduction
There are certain criteria under the UK GDPR in which organisations are mandated to appoint a data protection officer (DPO) and perform specific tasks. In some cases, where the requirement has not been met, it may be best practice to appoint a DPO because of the scale or nature of the data being processed. However, if you do appoint a data protection officer, they must fulfil the tasks of the DPO set out within the UK GDPR.
Where the requirement has not been met and a DPO has not been established, it is still expected that an organisation appoints a person/team responsible for ensuring compliance with data protection obligations.
Tasks of the DPO
Section 4 of Chapter 4 of the UK GDPR outlines specific responsibilities for Data Protection Officers (DPOs). Their role is crucial in ensuring compliance with data protection laws. Key tasks include:
- Inform and advise the organisation on data protection obligations
- Monitor compliance with data protection laws and internal policies
- Offering advice on DPIAs, including when they are necessary and how to conduct them.
- Act as the primary contact point for the Information Commissioner’s Office (ICO)
- Handle data subject requests
- Assist in data breach response and reporting
- Provide data protection training for staff
It’s essential for DPOs to operate independently within the organisation to effectively fulfil these responsibilities.
Conflicting Roles
A conflict of interest occurs when an individual or organisation is involved in multiple interests, one of which could potentially corrupt or interfere with the motivation or decision-making process regarding another interest. This situation can lead to actions that are biased, unethical, or not in the best interest of the parties involved.”
Article 39 of the UK GDPR provides the tasks a DPO should carry out in their role. Within this, the Information Commissioners Office (ICO) provides guidance on the tasks of a DPO and states the following:
“The UK GDPR says that you can assign further tasks and duties, so long as they don’t result in a conflict of interests with the DPO’s primary tasks.
Basically, this means the DPO cannot hold a position within your organisation that leads him or her to determine the purposes and the means of the processing of personal data. At the same time, the DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests”.
The ICO provides further guidance on whether an existing employee can be appointed the DPO, stating “Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests, you can appoint an existing employee as your DPO, rather than you having to create a new post.”.
Building on the ICO’s guidance, DPP has identified common role-based conflicts of interest for DPOs. Our findings are derived from client engagement, highlighting recurring instances where organisations were unaware of existing DPO conflicts.
Below are examples of roles within an organisation that DPP would deem to have a conflict of interest to that of the role of a DPO.
Finance
DPP identifies a potential conflict of interest when a Head of Finance, for example, assumes the DPO role. Their focus on cost minimisation may prioritise budgetary constraints over data protection requirements, such as training or the integration of an information management system. This could compromise the organisation’s compliance with UK data protection law and increase the risk of regulatory infringements.
Head of HR
HR departments manage a vast amount of sensitive personal information, including recruitment, performance management, employee records, and benefits. This overlap in data handling can create challenges for the DPO in maintaining objectivity and ensuring compliance with data protection regulations.
For example, the Head of HR might prioritise employee relations or business needs over strict data protection compliance, potentially leading to conflicts with the DPO’s role.
Head of IT
The Head of IT is responsible for the organisation’s IT infrastructure and systems, which often involve the processing of personal data. This overlap in responsibilities can create challenges in ensuring data protection compliance.
For example, the Head of IT might prioritise system efficiency or cost-reduction over data protection measures, leading to potential risks. Additionally, their influence over data access and system design can impact the DPO’s ability to effectively monitor and protect personal data.
Sales and Marketing
Sales and marketing functions can present potential conflicts of interest for the DPO role. A marketing manager’s focus on data-driven campaigns and customer profiling might conflict with data protection principles, particularly around consent and data minimisation. Similarly, a sales manager’s emphasis on revenue generation could lead to shortcuts in data handling practices. These roles require careful consideration to ensure the DPO can operate independently and effectively.
Directors/Chief Officers
Directors’ strategic focus on business operations can potentially overshadow data protection priorities. This is particularly evident in areas such as resource allocation, where the director might prioritise cost-saving measures over data protection investments. Additionally, a director’s involvement in decision-making processes related to data processing can compromise the DPO’s ability to provide impartial advice.
How does a DPO remain unconflicted?
To safeguard the DPO’s independence, organisations must implement measures to prevent conflicts of interest. This includes clearly defining the DPO’s role, responsibilities, and reporting lines. Additionally, establishing robust governance structures, such as a data protection committee, can provide oversight and support. It is essential to regularly assess potential conflicts and implement appropriate mitigation strategies.
Some key ways to ensure there isn’t a conflict of interest include the following:
- They don’t “own” any data processing activities
- They are a contracted third party and not directly employed by the organisation
- While there must be one named DPO, the duties are shared ensuring more than one person is involved in data protection decision making and performance measurement
- Their remuneration is not linked to financial performance of the organisation or KPIs such as number of data protection complaints
Conclusion
The Working Party (the European Data Protection Board’s predecessor) produced guidance on the role of the DPO and conflicts of interest. It states that, as a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.
If your organisation may be at risk of producing a conflict of interest with the DPO’s role, the role may need to be reviewed.
DPP provide an annual Outsourced DPO service in which an assigned consultant can perform the duties of the DPO on behalf of your organisation.
Certain topics will be focused on during each period of the service, the benefit being a monthly focus on key data protection issues and regular reporting to the SMT on progress. As an example, please see below for the topics DPP would anticipate addressing every month. The first month’s focus will be on the administrative functions of data protection, with each subsequent month looking at different aspects of the GDPR to form the overall programme of works.
| Topic/Month | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 1. Delegation of responsibilities | X | |||||||||||
| 2. DPO decision | X | |||||||||||
| 3. ICO Registration | X | |||||||||||
| 4. Policy framework | xx | X | ||||||||||
| 5. RoPAs | xx | X | ||||||||||
| 6. Training and awareness | xx | X | ||||||||||
| 7. Privacy Notices | X | |||||||||||
| 8. Lawfulness of processing | X | |||||||||||
| 9. Security arrangements | xx | X | X | |||||||||
| 10. Breach reporting processes | X | |||||||||||
| 11. Risk management | X | |||||||||||
| 12. DPIA processes | X | |||||||||||
| 13. Processors | X | |||||||||||
| 14. International transfers | X | |||||||||||
| 15. Data sharing | xx | X | ||||||||||
| 16. Internal audits and compliance checking | X | |||||||||||
| 17. Individual rights | X | |||||||||||
| 18. Data retention | xx | X | ||||||||||
| 19. Data quality and data minimisation | X | |||||||||||
| 20. Cookie compliance | X | |||||||||||
| 21. Email marketing | X |
If you would like any more information on the conflict of the DPO role and DPP’s Outsourced DPO service, please get in touch.