Time to review your DPO appointment?
A recent decision issued by the Belgian Data Protection Authority has some ramifications for registered social landlords (RSLs) who appoint a member of staff as their Data Protection Officer (DPO).
The General Data Protection Regulation (GDPR) recently celebrated its second birthday. Many RSLs appointed a DPO when preparing for the GDPR on the basis that they process special category personal data on a large scale as part of their core activities. From November 2019, RSLs were designated as Scottish public authorities for freedom of information purposes, providing an additional reason to appoint a DPO.
Depending on their requirements, some RSLs have appointed an existing member of staff as their DPO, while others have either recruited for a dedicated position or outsourced this to an external provider.
DPOs and the Belgian Data Protection Authority (DPA)
The DPA, the Belgian equivalent of the UK Information Commissioner’s Office (ICO), investigated Proximus SA, a large telecommunications company in Belgium, for a self-notified GDPR breach involving sending e-mails to incorrect recipients. As part of this, the DPA reviewed the company’s GDPR compliance practices, including its DPO appointment.
The DPA issued a €50,000 fine against the company because it had appointed its Head of Compliance, Risk Management and Audit as its DPO. In the DPA’s view, this did not comply with the GDPR and the Head was prohibited from carrying out the DPO role for the following reasons:
The Head had operational responsibility for the data processing activities of their department, for example, regarding internal investigations and audits. Despite having a “DPO Charter” in place, which set out how conflicts of interest were to be resolved, the DPA decided that this responsibility resulted in a lack of independent DPO oversight and verification of such activities. This was important because the GDPR states the DPO may fulfil other tasks and duties within an organisation, but those other tasks and duties must not result in a conflict of interest.
The Head had decision-making power in relation to staff dismissals and assessing staff performance. This was inconsistent with the DPO’s duty of confidentiality and secrecy towards staff on GDPR matters because information staff shared with the DPO in confidence and secrecy could subsequently be used to determine their continued employment when the DPO assumed another role.
The DPA believed the level of fine was appropriate due to the company’s “serious negligence” and it wanted to “vigorously enforce the rules of the GDPR” through “an effective, proportionate and dissuasive sanction”. The DPA noted the company should have been better prepared in its DPO appointment considering its data processing activities, which (like RSLs) involved the processing of special category personal data on a large scale.
What the decision means for RSLs
Although the DPA’s decision is not directly applicable in the UK, this does not mean the ICO will necessarily adopt a different approach. The GDPR is identical across the EU and incorporates a consistency mechanism whereby the EU data protection regulators must ensure the consistent application of the GDPR in certain matters. Given similar circumstances, the ICO may follow the lead of the DPA.
The DPO should not be an individual who holds decision-making power when it comes to determining the “what, how and why” of personal data processing either across the RSL as a whole or within a specific department. Indeed, the European Data Protection Board (EDPB), consisting of all EU data protection regulators, has highlighted that the Chief Executive and Heads of Operations, Finance, Human Resources and / or IT are likely precluded from fulfilling the DPO role due to lack of independence and potential conflicts of interest.
Other members of staff, who do not necessarily head a department, but have a degree of decision-making power over the “what, how and why” of personal data processing may also be similarly excluded. This could include the work of Welfare Rights Advisers, who typically reside under the RSL Housing Services function, but whose role is generally independent when it comes to the processing of personal data because of the nature of their work.
The DPA’s decision broadens the EDPB’s approach to possibly include the head of any department on the premise that their role will inevitably involve some decision-making when it comes to processing personal data within their functional area. This could automatically exclude the Heads of Corporate Services, Housing, Legal, Compliance and Maintenance from being appointed as DPO.
The role may successfully be performed by staff more junior and who do not fall within these categories, but question marks then arise around whether they command the authority with the senior management team to potentially call them to account. While the GDPR expressly prohibits the DPO from being dismissed or penalised for performing the role, it is submitted (with all due respect) that it would be very unusual for a Corporate Services Officer to be comfortable or sufficiently confident to challenge the CEO on non-compliance. The problems are amplified with smaller RSLs where staff often “wear many hats” due to limited human and financial resources.
The obvious solution is for RSLs to appoint an external DPO, but this has budgetary consequences that may require Committee authorisation before appointment.
An alternative is to co-ordinate the DPO role across staff members, consisting of a team of “Data Protection Champions”, who support the DPO and can “step in” if the DPO is conflicted. The ability to step in is, however, predicated on whether the “Data Protection Champions” meet the DPO entry requirements. The bar is set quite high in that the GDPR requires the DPO to have “expert knowledge of data protection law” and this knowledge has to be pitched against the backdrop of the wider regulatory, legal, economic, social and political issues affecting the sector.
A third option is to continue using a department head as DPO, but ensure any actions or decisions giving rise to an actual or perceived conflict of interest are referred to a colleague, who would have the final say – the so-called “four eyes” approach. Having an underlying procedure on DPO conflicts of interest might be useful, although following this in practice may be easier said than done. At the very least, the department head would need to be proactive, constantly alive to the prospect of any such conflicts and be willing to involve colleagues, where appropriate.
It is believed the DPA’s decision is one of the first of its kind since the GDPR became applicable in May 2018. It contains key guidance that RSLs should consider, although the ICO may take a different view for the UK. It is submitted that this would be very unlikely.
RSLs should identify the internal positions that may be incompatible with the DPO role and then set rules to avoid conflicts of interest. Any such internal determinations should be recorded in line with the GDPR’s accountability requirements, lest this issue be examined during a future ICO investigation.