Now that the initial hype has passed, we may well reach the pivotal moment when enforcement truly begins.
In Britain, for example, the Information Commissioner’s Office made headlines in July 2019 with its intent to fine British Airways and Marriott International Stg £183 million and Stg £99 million, respectively, for breaches of data protection law.
It pays to remain alert and, primarily, the data protection officer (DPO) will have to drive against GDPR fatigue inside an organisation.
The GDPR acknowledges, at article 38(6), that the DPO does not need to be a full-time officer, but may carry out “other tasks and duties” as well, as long as these “do not result in a conflict of interest”.
Primarily, interpretations of this legal provision have focused on how a leadership role in an organisation might fetter the independence of the DPO.
For example, the Article 29 Working Party argued that this restricted a DPO from also taking decisions as to the processing of personal data.
Equally, a Bavarian court ruled that an IT manager is conflicted when assuming the role of DPO on a part-time basis.
As recently as May 2019, the Belgian supervisory authority held that, under article 38(6), the DPO may not delete personal data. Instead, any decisions regarding processing has to be taken by the controller (in other words, another person in the organisation).
This approach is logical, given that people in positions such as IT management would determine the purpose, extent, and aspects of processing personal data, but would be conflicted if they were also the DPO.
Similar types of conflict may also arise, for example, if the head of human resources, the head of marketing, or the head of customer services were to act as DPO.
By contrast, a solicitor is not conflicted in quite the same manner. In-house counsel provide legal advice to the organisations they work for. As such, they are well-acquainted with the challenge of retaining independence in their work.
So, how could a conflict of interest arise between the tasks and duties of a DPO and an in-house counsel?
Such conflicts become apparent when examining each role in greater detail. Firstly, the DPO could be conflicted by the tasks and duties of an in-house counsel.
The latter is a legal professional and an officer of the court, and the role entails certain legal work, as well as his or her duties to the client (the employer).
Freedom to act
By contrast, the DPO does not have to be a lawyer, and owes ‘only’ the common law duty to perform the role in a professional manner and in accordance with the law. Further, he or she may need a set of non-legal skills.
According to the Data Protection Commission, these include, for example, an understanding of information technologies and data security, as well as an expert level of knowledge in certain specific IT functions.
It is worth considering whether the duties of the practising solicitor may be extraneous duties, from which, according to the Bavarian court, the DPO should be free.
Secondly, and possibly more importantly for our legal professional colleagues, the practising solicitor could be conflicted by the tasks and duties of the DPO.
Article 38(3) of the GDPR requires the controller and processor to ensure that the DPO does “not receive any instructions regarding the exercise of those tasks” outlined in article 39 of the GDPR.
This legal provision must be read together with article 39(1)(b), which requires the DPO to “monitor compliance” and carry out “related audits”. Arguably, the duty to audit poses the biggest challenge to fulfilling both roles on a part-time basis.
By carrying out audits, the DPO is a collector and evaluator of facts, on the basis of which an assessment concerning the organisation’s levels of compliance can be made – and it is not up to the organisation to instruct the DPO as to these facts.
For example, an organisation may operate on the basis that personal data is deleted. It is the duty of the DPO to question and test this assertion.
The DPO must check systems, verify if data was removed from back-up systems, search for lingering shadow data, examine whether anonymisation techniques are robust, and assess if the organisation inadvertently pseudonymised data.
The DPO must, so to speak, look under the carpet, go down to the cellar, and rummage in the dusty cabinet for its contents. In a noteworthy recent ‘throwaway’ comment by an acting DPO, this role requires the appointee to “go forth and find trouble”.
By contrast, the in-house counsel wears the mantle of a practising solicitor, who is instructed. Such instructions may be challenged if not credible, but a practising solicitor would never have to audit the factual instructions from a client on his or her own initiative.
Drama, alibis and motives
To put it dramatically, a solicitor would never have to check an alibi for truthfulness or discover a true motive.
As a result, the in-house counsel may be conflicted if, as DPO, they uncovered facts that contradicted the instructions of an organisation.
For example, an organisation might instruct an in-house counsel that a batch of documents constituted all of the material that had to be provided to a data subject on foot of a subject access request, and prima facie, this instruction could form the basis of subsequent legal advice.
By contrast, the DPO would have to audit how the search was carried out by the company at system level, and make recommendations as to which type of further and additional searches might be necessary or desirable.
Due to the DPO role being a sui generis one, any audit reports would not ordinarily enjoy the protection of legal privilege. This might, in turn, force the DPO to become a witness in a court case involving his organisation, if compelled to produce the report in evidence.
Such a situation would pose difficulties for the in-house counsel who was acting as a DPO on a part-time basis.
Equally, the in-house counsel might have written to a party, negotiated an agreement, or provided advice to the organisation in question, based on a set of instructions.
If then, as DPO, the same person discovered facts that contradicted these instructions, he or she would have to switch back to being an in-house counsel in order to revise the letter of correspondence, the agreement, or the advice given thus far.
Switching such hats would have to be done carefully, and the business would have to be aware as to when the individual was taking instructions and giving advice as an in-house counsel – which might be legally privileged – and when the individual was acting as a DPO in the performance of these duties.
Considering the possible pitfalls, great practical care needs to be taken to spot those situations where conflicts may arise.
The question is: how do you prepare in advance? Do you build yourself a play book? Do you create a manual that describes your own role?
Can you prove to the regulator that you have considered your own methodology of recognising and dealing with conflicts?
Can you prove your own alertness? Can you prove that a reported lack of conflict situations is not an indication that you were unable to identify and cater for these?
Only when an in-house counsel is satisfied that these conflicts can be managed within their organisation should they seriously contemplate taking on the DPO mantle.
It may be useful to take a step back and review your current set-up. Do not feel alone: article 38(6) explicitly places the obligation on the controller or processor (and not on the individual) to prevent a conflict of interest.
As such, it is not just a matter of professional ethics and conscientious behaviour on the part of the in-house counsel and the DPO to wear both hats responsibly.
Instead, the organisation should proactively place this issue into a broader operational framework, ideally relying on an external advisor to provide objective and neutral input, when appropriate.
When done well, the result could be a practical ‘how-to’ guide, which assists and protects both the individual and the organisation.