*Reassuringly dull cyber security

Wrong choice of DPO results in €50,000 fine

Back

An EU Data Protection Authority – equivalent to the ICO – (‘the Regulator’) has fined a company €50,000 (£43,600) for appointing as its Data Protection Officer (DPO) someone who had another role in the company which created a conflict of interest and which therefore was in breach of the GDPR.

What does the GDPR say about DPOs and conflicts of interest?

The GDPR allows organisations to appoint an employee who has “other tasks and duties” as DPO, as long as that does not result in a conflict of interest. It is well-established that a conflict of interest will exist in many situations where a DPO holds certain internal positions and, until now, this had been understood to mean those in senior management positions such as CEOs, CTOs, COOs and Heads of Marketing, HR and IT.

However, in this case, the DPO had another role, but the Regulator was of the opinion that there was a complete lack of independent DPO oversight concerning the data processing activities taking place at the company. The Regulator was also concerned that that, due to his dual role, the DPO might not be able to provide sufficient guarantees to employees in terms of confidentiality and secrecy.

How did the Regulator find out?

Following a data breach, the Regulator started an investigation into the company’s data protection practices and privacy program. This led to it emerging that the DPO had another role in the company.

Why was the fine €50,000?

According to the Regulator, the infringements of the GDPR amounted serious negligence by the company and that:

  • The concept of a DPO is not new;
  • The company should have known what the GDPR says about DPOs and conflicts of interest; and
  • The length of time of the infringement – it started in May 2018 (the DPO was appointed when the GDPR came into effect) and continued until now.

What does it mean for organisations with employee DPOs?

This ruling means that the category of conflicting positions had now been enlarged – to such an extent that arguably it makes it almost impossible to combine the role of DPO with any internal function within an organisation.

Although this case was not in the UK the decision sets a legal precedent that is applicable in the UK.

For many organisations having a DPO who combines that role with other functions may be a challenge that is impossible to overcome, other than by appointing an external DPO.

Update – 19/05/2020

That company is Proximus and it has decided not to appeal the decision.

In addition, the APD (Belgian equivalent of ICO) had warned in its strategic plan that the topic of the appointment of data protection officers would be particularly investigated and that re this instance they have stated:

“We have come to the conclusion that Proximus’s DPO has a role in decision-making around data issues. The DPO is supposed to serve as a guide in these procedures. He cannot therefore be the adviser and the one who makes the decision…”.

APD (Belgian equivalent of the ICO)

As is being reported this decision will have consequences because (as we already knew), it indicates that a manager or head of department cannot at the same time have the function of DPO. As the Group DPO for Ferrero has said “A very uncomfortable precedent for the several companies that have chosen the same approach”.

Proximus still has one month to appeal.

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager
Marmalade

I’m thrilled to have signed off on the CSaaS offering.  I’m looking forward to having the most complete cyber security package for the mid-market and continuing our successful working relationship with norm.

Richard Taylor, CIO
Summit Therapeutics

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group