Should all heads of compliance or legal step down as DPOs?
Tim Van Canneyt of Fieldfisher explains the potential impact of a controversial decision by Belgium’s Data Protection Authority.
In a rather shocking decision, the Belgian Data Protection Authority (DPA) has fined a company for having appointed its head of compliance, audit and risk as Data Protection Officer (DPO). According to the DPA, this combination of roles creates a conflict of interest and therefore constitutes an infringement of article 38.6 GDPR.
For many organisations, the appointment of the DPO has been one of the more complicated requirements to deal with under the GDPR. The detailed description of the workload, the high requirements in terms of expertise, but also the expectations of the Article 29 working Party guidelines in terms of availability and language skills put the bar very high. Add the fact that this function did not exist in most EU Member States and/or organisations, creating a huge demand for the limited number of people that met the legal requirements, and it is clear that many organisations have had huge issues finding the right person for the job.