Recently I came across this article written by Tanya Moeller, an Associate in LK Shields Solicitors. It raised a number of thought-provoking questions around appointing in-house solicitors as Data Protection Officers and if this is the right thing to do. Thank you, Tanya, for permitting us to share this work on our platform.
Let’s start a conversation.
Has the GDPR become old news? Whilst some contributors in the public space (falsely) equated it with ‘Y2K’, experienced privacy practitioners knew that unlike the Millenium Bug, this was a definite event, a permanent legislative innovation.
Moreover, regulatory actions, such as fines, take their time to gain traction. The GDPR’s first “soft” year of being effective is not an indication of how sharp its teeth will ultimately be, as it matures. Now that the initial hype has passed, we may well reach the pivotal moment when enforcement truly begins. In the UK, for example, the Information Commissioner’s Office made headlines in July 2019 with its intent to fine British Airways and Marriott International £183 million and £99 million respectively, for breaches of data protection law.
It pays to remain alert and, primarily, the Data Protection Officer (DPO) will have to drive against ‘GDPR fatigue’ inside an
The GDPR acknowledges, at Article 38(6), that the DPO does not need to be a full-time officer, but may carry out “other tasks and duties” as well, as long as these “do not result in a conflict of interest”.
Primarily, interpretations of this legal provision have focused on how a leadership role in an
This approach is logical, given that persons in positions such as IT Management would determine the purpose, extent
By contrast, a solicitor is not conflicted in quite the same manner. In-house counsel
Such conflicts become apparent when examining each role in greater detail. Firstly, the DPO could be conflicted by the tasks and duties of an in-house counsel. The latter is a legal professional and an officer of the court, and the role entails certain legal work as well as his or her duties to the client (the employer).
By contrast, the DPO does not have to be a lawyer, and owes “only” the common law duty to perform the role in a professional manner and in accordance with the law. Further, he or she may need a set of non-legal skills. According to the Data Protection Commission, these include, for example, an understanding of information technologies and data security, as well as an expert level of knowledge in certain specific IT functions. It is worth considering whether the duties of the practising solicitor may be extraneous duties, which according to the Bavarian court, the DPO should be free from.
Secondly, and possibly more
By carrying out audits, the DPO is a collector and evaluator of facts, on the basis of which an assessment concerning the
For example, an organisation may operate on the basis that personal data is deleted. It is the duty of the DPO to question and test this assertion. The DPO must check systems, verify if data was removed from back-up systems, search for lingering shadow data, examine whether anonymisation techniques are robust, and assess if the organisation inadvertently pseudonymised data. The DPO must, so to speak, look under the carpet, descend into the cellar and check the dusty cabinet for its contents.
In a noteworthy recent throwaway comment by an acting DPO, this role requires the appointee to ‘go forth and find trouble’.
By contrast, the in-house counsel wears the mantle of a
As a result, the in-house counsel may be conflicted if the DPO uncovered facts, which contradict the instructions of an
Due to the DPO role being a sui generis one, any audit reports would not ordinarily enjoy the protection of legal privilege. This may in turn force the DPO to be a witness to a court case the
Equally, the in-house counsel may have written to a party, negotiated an agreement, or provided advice to the
Considering the possible pitfalls, great practical care needs to be taken to spot
It may be useful to take a step back and review your current set-up. Do not feel alone: Article 38(6) explicitly places the obligation on the controller or processor (and not on the individual) to prevent a conflict of interest. As such, it is not just a matter of professional ethics and conscientious behaviour on the part of the in-house counsel and the DPO to wear both hats responsibly. Instead, the
Author: Tanya Moeller, Associate, LK Shields Solicitors
© LK Shields 2019
This article was first published in the November 2019 edition of the Law Society Gazette.