DPOs Part 2: Who can be DPO?

Avoid common mistakes that show you don't 'get' GDPR

Who can be your DPO?

Not sure who can be the Data Protection Officer, or DPO, for your organisation?  Are you wondering if YOU can be the DPO for your organisation? 

Don’t panic!  We’ll cover off exactly who can and who can’t be DPO.  And stay with us because we’ll finish with the biggest point that may just save you and your organisation a load of embarrassment, and potentially far more. 

And you can watch our FREE video: ‘Who can be DPO?’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy.  If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos. 

So, you need – or really want – a DPO?

If you’re reading this, you’ve decided you either need – or really want – a DPO.  Hopefully, you watched our FREE video on the 3-part test or read its sister blog post before you made that decision?  If not, go do that now, it’s the fundamental question on DPOs and Part 1 of our Privacy Kitchen DPO series.

Who can – and who can’t – be DPO?

Okay, the big question: who can – and who can’t – be your Data Protection Officer, or DPO?  Let’s find out!

Links are at the end of the blog as always.

First off, some great news: although regulators do hope that you make an employee your DPO, you don’t have to.  You can outsource this to an individual or organisation – and we seriously recommend you consider this.  If you do outsource it to an organisation, do make sure you have the name of the single individual who’ll be lead person for you.

And, helpfully, a single DPO can act for more than one organisation provided the DPO is ‘easily accessible’ from each establishment.  So what does that mean?

Well, the DPO is the contact point for the data subject, for the processor or the controller who’s appointed them, and for the supervisory authority, like our UK Information Commissioner’s Office or UK ICO.  So, being easily accessible means something about location and language skills.

Location

Regulators recommend that the DPO is located in the EU, regardless of where the controller or processor’s established.  But they do recognise that in some situations where the controller or processor doesn’t have an establishment in the EU, it may be that the DPO can do their role better outside the EU, presumably close to the entity that’s appointed them.

Language

And on language skills, the DPO must be able to efficiently communicate with data subjects and supervisory authorities, and regulators say that means in the language or languages used by those authorities and by those data subjects.

Now, in practice, we wouldn’t panic about finding someone who speaks six languages – make sure your DPO is really capable, and is supported by people who speak the required languages.

So we’ve already established:

  • your DPO can be an employee or outsourced,
  • they can act as a DPO for others, but
  • they do need to be accessible in terms of location and language to the authorities and the data subjects.

Now the biggest and most misunderstood – potentially controversial – factor: conflict of interest.

Conflict of interest

The key rule here is that DPOs are allowed to have other tasks and duties, but only if those other tasks and duties do not give rise to ‘conflicts of interests’.

This means that two categories of people are potentially conflicted:

  • those involved in determining the ‘purposes and means’ of the processing – they can’t be the DPO, so that’s the C-suite and senior management, who determine the why and the how, and
  • anyone who’s involved in designing or operationalising compliance measures as they’d be ‘marking their own homework’.

Some great examples

Examples are always great and Europe’s regulators have given us some really useful examples.

EU Regulators confirm that the C-suite and senior roles are likely to be conflicted:

  • CEO,
  • COO,
  • CFO,
  • CIO,
  • Chief Marketing Officer,
  • Head of HR, and
  • Chief Medical Officer,

as well as roles lower down in the organisational structure if their roles lead to them ‘determining the purposes and the means‘, or the why and the how, of processing.

And EU regulators see that any person who represents the controller or processor in a court in cases involving data protection is also likely conflicted.  Again, in our view, they’re clearly conflicted and we’re in good company as the EU Data Protection Supervisor agrees with us.

Well, they didn’t actually agree with us.  It’s in their guide to DPOs on a GDPR-style law that applies to EU institutions – it is very persuasive on GDPR.  The EDPS agrees about the C-suite roles and adds senior roles in Internal Audit.

And on ‘marking your own homework‘, they give two interesting examples where conflicts of interest may typically arise:

  • when a part-time DPO, who’s from IT, assesses processing operations that they’ve designed, or
  • when a part-time DPO, who’s part of the Compliance team, assesses compliance checks and related processing that they’ve designed.

So what about our good old UK ICO?  Well, they were part of that EU body and so, unsurprisingly, they do echo that position.  They give a couple more examples:

  • a company’s Head of Marketing plans an advertising campaign, including which of the company’s customers to target, what method of communications to use, and the personal data that’s going to be collected – this person cannot also be the company’s DPO,
  • on the other hand, they say a public authority could appoint its existing Freedom of Information Officer or Records Manager to be DPO.  There’s no conflict of interest there, as these roles are all about ensuring information rights compliance.

And, before GDPR came in, there was a very interesting case in Germany under a similar DPO law, where a regional Data Protection Authority fined a company for using its IT Manager as DPO.  They decided the IT Manager had significant operational responsibility for the processing, and so was conflicted.

The Belgian DPA also cited German legal doctrine on DPOs in making its decision.  Germany’s had a much more extensive DPO obligation for many years, including a similar independence requirement -as we saw in the German IT Manager example above.

Bonus Tip!

And here’s that Bonus Tip.

We’ve spoken to plenty of DPO’s at organisations that clearly don’t need one, or haven’t really understood what the role’s about.  If that’s you, do have the conversation, because if you’re conflicted, the moment a more sophisticated customer or investor – so one that you really want – takes a look at you, they’ll assume you just don’t understand GDPR.

So here’s the tip.  Well, two actually!

Make that senior employee the Privacy Officer or Privacy Manager.  Just don’t call them the DPO, because it instantly applies GDPR obligations on both the entity and the person.  And if you really want a DPO, or you just need a DPO, and you don’t have someone good for it in-house, consider outsourcing it.  It’s cheap, there are some great ones out there and they’ll bring instant experience and advice.  It’ll take a load of stress away from your employees and help you go much faster on compliance.

So there you go!  Take a look at our other videos, including whether or not you need a DPO, and ‘What does a DPO do?’.

Do use #privacykitchen to let us know the other topics and questions you want covered.

Stay well in the meantime and see you soon in Privacy Kitchen!

Links

GDPR itself!

Art 29 WP, WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’), Adopted on 13 December 2016, As last Revised and Adopted on 5 April 2017 

EDPS Position paper on the role of Data Protection Officers of the EU institutions and bodies 30 September 2018 

UK ICO Guide to DPOs

German DPA fine re IT Manager, 2016 

Belgian DPA fine re Head of Audit, Risk & Compliance, 2020