Last week, I had a long and interesting discussion with one of the leading Scandinavian data protection lawyers. We normally see eye to eye on most matters, so I was genuinely surprised to find myself disagreeing with his position on one of the most fundamental building blocks of data protection regulation, namely the position of the Data Protection Officer (DPO).
The discord: He claims that DPO should abstain from direct involvement in operational matters and instead focus on performing second-line activities, such as monitoring, training and reporting.
My view, which I will explain further below, is that there is nothing in the GDPR that prohibits the DPO from being directly involved in the assessment of operational matters. On the contrary, the GDPR requires it, the guidance from WP29/EDPB (European Data Protection Board) expects it, and sound business management principles also support the position. I claim, it is critical that the DPO is directly involved in first-line operational matters and that he or she participates in the assessment of the implications of such activities. My view is that the DPO can move freely across the first and second lines of defence – provided that she or he observes the limitations on the mandate of the DPO. For background info on first and second line data protection responsibilities, please see my article on “The Privacy Organisation of Tomorrow”.
The disagreement of course stems from the requirement in Art. 38 of the GDPR, which states that the controller or processor shall ensure that the tasks and duties of the DPO “do not result in a conflict of interests”. From the outset, this can be read as a restriction on participation in the decision-making process for activities, due to the fact that the DPO, at a later stage, will also have to monitor and assess compliance.
Let’s first take a look at what the GDPR actually says about the role of the DPO.
Under the GDPR, it is mandatory for a controller or processor to appoint a DPO where:
- processing is carried out by a public authority or body;
- their core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- their core activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions.
Art 39 and recital 97 stipulate that the DPO shall assist and advise the controller or the processor on issues relating to the processing of personal data.
In particular, the DPO must:
- inform and advise the controller or processor, as well as their employees, of their obligations under data protection law;
- monitor compliance of the organisation with all legislation in relation to data protection, including audits, awareness-raising activities and the training of staff involved in processing operations;
- provide advice and carrying out Data Protection Impact Assessments (DPIAs), and monitor their performance;
- act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights;
- cooperate with Data Protection Authorities (DPAs) and act as a contact point for DPAs on issues relating to processing;
According to Art 37(5) the DPO shall hold expert knowledge of data protection laws and practices.
Article 38 of the GDPR then mandates that the controller and the processor shall ensure that the DPO is ‘involved, properly and in a timely manner, in all issues which relate to the protection of personal data’.
Among the core tasks of the DPO, as outlined in Article 39, are monitoring of compliance with different data protection laws, advising on DPIAs, and more generally, advising the organisation on how to manage privacy risks.
Article 38(3) establishes some basic guarantees to help ensure that the DPO can perform his or her tasks with a sufficient degree of autonomy within their organisation. Companies are required to ensure that their DPOs are not instructed in the performance of their tasks and the DPO shall report directly to the highest management level.
The WP29, now EDPB, has issued guidelines on the role of the DPO.
The EDPB states in their guidelines that “expert knowledge” includes national and European data protection laws and practices as well as an in-depth understanding of the GDPR.
In their guidelines EDPB further states:
“It is crucial that the DPO, or his/her team, is involved from the earliest stage possible in all issues relating to data protection. In relation to data protection impact assessments, the GDPR explicitly provides for the early involvement of the DPO and specifies that the controller shall seek the advice of the DPO when carrying out such impact assessments.33 Ensuring that the DPO is informed and consulted at the outset will facilitate compliance with the GDPR, promote a privacy by design approach and should therefore be standard procedure within the organisation’s governance. In addition, it is important that the DPO be seen as a discussion partner within the organisation and that he or she be part of the relevant working groups dealing with data processing activities within the organisation.” [my underlining]
The EDPB goes on to affirm:
“His or her presence is recommended where decisions with data protection implications are taken. All relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice.”
The EDPB furthermore states that if the controller or processor makes decisions that are incompatible with the DPO’s advice, the DPO should be given the possibility to make his or her dissenting opinion clear to the highest management level and to those making the decisions.
The purpose of the DPO
The role of the DPO is to ensure compliance with data protection legislation and enable a free flow of personal data, while protecting the privacy of individuals through interpretation and implementation of data protection laws and practices. To allow data to flow freely within organisations, certain safeguards and good practices are required to be put in place, and the DPO plays an important role in this regard. Hence, the background for the requirement was to establish a role that protects and advocates for the interests of the data subjects.
To be able to truly safeguard the interest of the data subjects, the DPO needs to be more than a second line resource barred from involving him or herself in the ongoing operational activities. The DPO needs to be an advocate and a guardian of data subject matters on an operational level. As can be seen from the guidance from the EDPB above, this is anticipated and the EDPB therefore explicitly recommends the direct involvement of the DPO in forums where decisions on data processing are taken. The EDPB likewise accentuates the importance of the DPO being seen as a discussion partner for the organisation and that the DPO becomes part of working groups dealing with data processing within the organisation. I do not think the EDPB could have written it more clearly; the DPO is expected to play an active role in discussing and influencing the decisions taken by the organisation in the first line. What the DPO cannot do, is to take decisions in the first line.
If the DPO was only intended to be a second-line role, then it makes little sense for the EDPB to state that if the controller or processor makes decisions that are incompatible with the DPO’s advice, that the DPO should then have the opportunity to make his or her opinion clear to the management level. This will require active involvement of the DPO in the operational assessment of a processing activity, even if the organisation then decides not to follow the advice of the DPO.
The implications of a more restricted second-line only role for the DPO would be that services, products, or solutions being designed by the organisation would not be assessed objectively from the perspective of the data subjects until after they were put in production and became subject to controls or auditing by the DPO.
From a business perspective, such a late review of a potentially critical facet of the core capabilities of the service, could ultimately necessitate the withdrawal or discontinuation of an already fully developed and released product. This is something which by all means should be avoided due to the commercial and financial ramifications.
Why this uncertainty in the first place?
The reservation regarding whether the DPO can have a first-line, second-line or joint role stems from the ambiguity of the requirement in Art 38 on “no conflict of interest”.
However, beware. “No conflict of interest” was never intended to be read as no involvement in first line activities – to the contrary. No conflict of interest refers to the first part Art 38(6), which states that the DPO may fulfil tasks and duties other than the one of DPO. The controller or processor shall however ensure that any such tasks and duties do not result in a conflict of interests. Please also note the 2020, Proximus-case, where the mix of responsibilities for the DPO in the second line compliance-function was deemed to result in a conflict of interest. In other words, keeping the DPO solely in second-line will not solve the issue relating to the restriction of conflict of interest.
A clearly defined mandate that limits the role of the DPO to only consider the interests of data subjects and not the interests of the controller or processor, can clearly segregate the responsibilities that could otherwise constitute a conflict of interest.
So, where does this leave us?
Firstly, make sure that the DPO is actively involved in operational matters. Not only because the GDPR does not restrict you from doing so. Also, don’t just involve your DPO in operational matters because the EDPB expects you to do so. No – do it because it makes good sense. Do it because it allows you to create and offer better services that from the get-go consider the interests of your customers. Do it because you want to utilise the expertise of your DPO to develop better processes in support of your products or service offerings.
Secondly, remember to question the advice you receive on how to organise your work. If something makes good sense, it was probably not the intention of the law-maker to restrict you from doing so. Also remember that some departments may have an interest in limiting the involvement of the DPO in operational matters, as it can make their work more difficult. In some organisations, you may even find departments actively trying to influence or circumvent the work of the DPO – see my other article on “The Difficult Role of the DPO” for more on this topic. For that very reason it is stated in recital 97, that the DPO should be in a position to perform their duties and tasks in an independent manner.
Lastly, had the role of the DPO only been intended as an appendix to the compliance function of the organisation, the very specific requirements in GDPR on the role and responsibilities would have been unnecessary. The GDPR could simply have stated that the controller or processor is required to monitor the compliance with the regulation. But the regulation didn’t just say that. It put forward very specific requirements on the organisation relating to the involvement of the DPO in all matters that relate to processing of personal data. It put forward a requirement for organisations to seek the advice of the DPO, and it put forward a requirement for the DPO to have expert knowledge on data protection regulation, to enable the DPO to effectively and efficiently inform and advise the organisation on data protection matters.
And that is why the role of the DPO was never intended to just be a second line role, but rather a role that on an ongoing basis is directly involved in the assessment of data protection matters at an operational level.