Wearing Two Company Hats Tricky for EU Data Privacy Officers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

To avoid a conflict of interest, employees who handle information processing for a company can’t do double duty as the corporate data protection officer under the European Union’s new privacy regime, privacy professionals say.

The EU General Data Protection Regulation (GDPR) takes effect in May 2018, and requires companies to have a DPO if they systemically monitor individuals on a large scale or use particularly sensitive data related to race, religion, genetics, biometrics or health, among other areas.

Because the GDPR covers the processing of EU citizens’ personal data, wherever and no matter who does the processing, even companies outside the EU may need to appoint DPOs for the first time. But requiring a DPO to be free from conflicts of interest means the role can’t be fulfilled by staff members who are responsible for day-to-day data-processing decisions, the privacy pros said.

Companies, especially if they are wrestling with the concept of having a DPO, may have an tendency to want to appoint someone who works in human resources or information technology and “is already substantially entrusted with the processing of personal data,” Tobias Rothkegel, a data protection and digital business associate with Osborne Clarke in Hamburg, Germany, told Bloomberg BNA.

But DPOs are intended to be independent supervisory entities, he said. As such, they can’t have a role in managing the supervised entities, nor can they be be “tasked with major data processing operations or IT systems administration,” Rothkegel said.

Independence Is Imperative

The GDPR rule on conflicts of interest emphasizes that companies must grant DPOs sufficient independence, Ardi Kolah, executive fellow and co-director of the GDPR Transition Program at the University of Reading’s Henley Business School, told Bloomberg BNA.

“The DPO as defined in the GDPR is a new senior management role. There isn’t anything that’s totally analogous to it,” Kolah said.

DPOs will be responsible for overseeing company compliance with much of the new privacy law’s requirements, and will be accountable in interactions with data privacy regulators, he said. DPOs, though, aren’t prohibited from advising their company on data-use issues, and companies with chief privacy officers could conceivably appoint them to the new position, privacy professionals said.

Companies stand to benefit—in reputation perceptions and otherwise—if regulatory authorities, and individuals whose data are at issue, have confidence in the independence of DPOs, they said.

EU Data Protection Officers

For instance, companies that openly demonstrate compliance with GDPR provisions, including by ensuring their DPOs are independent, may accrue some measure of enforcement deference from regulators, they said. At the same time, a failure to ensure that DPOs are free of conflicts of interest could result in fines of 10 million euros ($10.7 million) or 2 percent of the worldwide revenues of the company, whichever if higher.

A data breach will quickly highlight just how well, and independently, a company’s DPO is functioning, Kolah said. In the event of a breach, a DPO should play “a very important role” in making sure the company learns from that experience, he said.

Regulators Should Be Flexible

The independence of DPOs was set out in December 2016 guidance from the Article 29 Working Party of data protection officials from the 28 EU countries, which said a DPO “cannot hold a position within the organisation that leads him or her to determine the purposes and the means” of data processing. As a “rule of thumb,” that means the DPO function can’t be carried out by a company’s senior management or by those working in areas such as marketing and IT, the guidance said.

But Bojana Bellamy, president of the Hunton & Williams LLP Center for Information Policy Leadership in London, told Bloomberg BNA that the DPO conflict of interest rules shouldn’t be interpreted too restrictively. Although the guidance correctly warned that human resources and marketing could potentially conflict with DPO functions, privacy regulators should “be a little bit more flexible and allow organizations to set it up in a way that works best for them.”

In particular, DPOs should be able to provide strategic guidance on a company’s approach to data use, functioning more as a “a trusted business advisor” than as an internal regulator, Bellamy said. Smaller companies should have leeway to establish their own processes to ensure their DPOs are free from conflicts of interest without grappling with overly prescriptive lists of non-compatible functions from regulators, she said.

Joanne Bennett, European head of legal for Dallas-based Hitachi Consulting Co., Hitachi Ltd.'s strategic business consulting division, told Bloomberg BNA that privacy regulators in each of the EU countries will likely have to supplement the guidance with their own DPO conflict-of-interest requirements. Rather than proscribing certain roles, national guidance should be “clear about defining what a conflict is and the disclosures around that,” so that DPOs have “parameters they can work to that they can evidence to their employer,” Bennett said.

Privacy Roles Differ

For U.S. companies, it may be prudent to consider the obligations and role the EU will expect a DPO to play as the point of contact with EU regulators, privacy professionals said.

Jay Cline, U.S. privacy leader with PwC U.S., told Bloomberg BNA that chief privacy officers “can be the designated DPO, but the two roles are different. The DPO is a stronger role.”

In U.S. companies, chief privacy officers ensure compliance with privacy laws but “often want to accomplish this by coming up with business-friendly solutions,” Cline said. By contrast, a DPO must “serve as an ombudsperson” who will look at privacy from the point of view of maintenance of European-style privacy rights. “They can’t be told that they need to come up with a business-friendly solution,” Cline said.

Bellamy, though, said there isn’t an inherent conflict between the roles. Combining them could help a DPO “be more strategic,” she said.

Looking for Outside Hires

The International Association of Privacy Professionals estimates that there will be a global requirement for 75,000 DPOs to be filled in the run up to the GDPR’s full application.

The requirement for DPOs to be free of conflicts of interest, and the potential difficulty and cost involved in finding good candidates who can fulfill the role, could lead companies to seek outside help, privacy professionals said.

Companies could turn to law firms to hire DPOs, although there’s no requirement that DPOs be lawyers, Susan Foster, an EU data protection compliance member at Mintz Levin in London, told Bloomberg BNA. But that solution presents its own complications.

“Law firms would need to be careful that they’re giving advice that’s a neutral as possible,” and would have to “wear an advisory hat rather than an advocacy hat,” Foster said. Lawyers would have to provide consistent advice to all their clients and refrain from comparing client practices, which “could end up being tricky,” she said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security