Independence Day for DPOs?

One of the defining features of the months leading up to and following the introduction of the GDPR was the rapid expansion of the Data Protection Officer Industrial Complex.  The importance of the role — long established in the German legal culture but new to many EU member states — saw reports of demand for DPOs outweighing supply, and that's still the case.

But given the importance of the DPO to the businesses and data subjects they serve, there has been relatively limited regulatory focus on the profession in the five years since the GDPR took effect.

That is starting to change — although it's worth remembering that these developments apply only to organisations that are required by the GDPR to appoint a DPO (for example because they process sensitive personal data, or monitor individuals' behaviour, on a large scale) or where they otherwise do so on a voluntary basis in respect of processing that is caught by the GDPR.  

Last week, the Court of Justice of the European Union issued a ruling on a topic that goes to the heart of the DPO: whether they can be fired for doing their job and the related independence of the role.  The termination issue is clearly important — but it’s not what I want to focus on here.

Instead, I’m interested in what the judgment has to say on the requirement in Article 38(6) of the GDPR that the DPO “may fulfil other tasks and duties … [but] … the controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests”.  Or, as the CJEU puts it: “[I]t must be held that, in accordance with the objective pursued by Article 38(6) of the GDPR, the DPO cannot be entrusted with performing tasks or duties which could impair the execution of the functions performed by the DPO.”

The EDPB Guidance on DPOs says that, as a rule of thumb, conflicting positions within an organisation may include “senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments)” as well as “other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing”.

Some of these roles are obviously unsuitable.  For reasons both GDPR-related and otherwise, you don’t want your CEO or head of HR to be the DPO.  But a threshold of determining the means and purposes of processing personal data casts a very wide net.  Indeed, it could potentially apply to almost any employee: from a compliance analyst who chooses a new vendor to an in-house lawyer providing advice to the business on which personal data should be provided in response to a DSAR.  Most of these employees won’t be the DPO — but most employees who could serve as DPO are likely to determine the means and purposes of at least some processing activities.

In reality, many organisations simply don’t have the resources or personnel to employ a full-time DPO, meaning that balancing potential conflicts of interests becomes a real issue.  We often see someone from legal or compliance being assigned to take on the role in addition to their day job — sometimes willingly, and sometimes less so.  There’s certainly no judgment against those businesses or individuals, although a regulator would likely say that if you’re processing sensitive data or monitoring on a large scale then you need to find the time and resources to employ a (largely) full-time DPO.

Why is this important — and why now?  Because after a relatively fallow period of DPO-related enforcement, the EDPB in September 2022 announced that it would launch a coordinated enforcement action amongst national regulators on the designation and role of the DPO.  Although we may not see a raft of fines in the near-term future, there will certainly be a greater focus on DPOs going forward.

So if your business employs a DPO who wears multiple hats — or if you are that person — now would be a good time to assess the processes you have in place to ensure that they meet GDPR requirements.