I am legal counsel in a start up and we can’t really justify hiring a DPO, but we need a DPO given our processing activities – no question about that!
I might take on the role as DPO but would appreciate ideas on steps can be taken to minimise risk of authorities deeming it a conflict of interest.
Obviously, a role description (for both roles) clarifying how I do not make decisions regarding data processing might help, but what else can we do?
Legal counsel as DPO – conflict of interest
Share
Barry Moult
Sometimes its taking a pragmatic approach, which is what you are doing.
You have a knowledge and experience of current legislation. You understand the workings of the organisation and the risks.
As long as you can work independently in the role of DPO and not be instructed by the organisation, IMHO I see no great issue.
Like with everything I would document the decision making and get the organisation to own any risk of ‘conflict of interest’ (if there is any)
I know if many organisations who have appointed less suitable persons to be the DPO.
HellenB
The key is to ensure there are no conflicts of interest. There have been a couple of cases recently where fines have been issued regarding this matter. I can only find the link to the Belgian one:
https://edpo.com/news/dpo-and-conflict-of-interest-50-000e-fine-by-the-belgian-dpa/
Stephen Lark
Here is a first – I disagree with some of my esteemed contributors.
For the record so you can take this advise armed with the relevant knowledge – I am a virtual DPO for several companies – so yes I sell the service and you may wish to ignore my comment.
I think most roles within a company have a likelihood of the said conflict of interest although legal counsel is one of the less obvious. Furthermore if you only devote a small percentage of your time such as 10% then your knowledge of a hugely complex subject will be limited.
My recommendation is always to use a third party or virtual DPO. For a small company one day a month may be sufficient, and if cash is tight then skip a month. You still get the benefits of priority breach and SAR handling, use of DPO email and as many questions as you want to ask.
It would be interesting to learn how much you think appointing an external DPO wold cost.
Dean
I agree here, Legal Counsel and DPO do often sit with one individual, as long as there is a process to keep a degree of separation and document the decision-making elements of the DPO function, then there shouldn’t be a conflict. And like Barry said, your Counsel background lends itself to the role.
Yorkie82
If I recall correctly, the Head of Legal or Legal Counsel are not listed as having an automatic conflict, like CEO, Head of IT or Head of HR. The important aspect is The Guidelines state that the tasks and duties of a DPO must not result in a conflict of interests, meaning that the DPO cannot hold a position within the organization that leads him or her to determine the purposes and the means of the processing of personal data. I would assume as the legal counsel you are advising on the purposes and means of processing but not deciding on it. In a small team, you might need to balance this a bit out with the senior management that you are just advising on these topics without a managerial stake in the topics.