Should In House Solicitors Take on the Role of Data Protection Officer?

Recently I came across this article written by Tanya Moeller, an Associate in LK Shields Solicitors. It raised a number of thought-provoking questions around appointing in-house solicitors as Data Protection Officers and if this is the right thing to do. Thank you, Tanya, for permitting us to share this work on our platform.

Let’s start a conversation.

Eamonn

Has the GDPR become old news? Whilst some contributors in the public space (falsely) equated it with ‘Y2K’, experienced privacy practitioners knew that unlike the Millenium Bug, this was a definite event, a permanent legislative innovation.

Moreover, regulatory actions, such as fines, take their time to gain traction. The GDPR’s first “soft” year of being effective is not an indication of how sharp its teeth will ultimately be, as it matures. Now that the initial hype has passed, we may well reach the pivotal moment when enforcement truly begins. In the UK, for example, the Information Commissioner’s Office made headlines in July 2019 with its intent to fine British Airways and Marriott International £183 million and £99 million respectively, for breaches of data protection law.

It pays to remain alert and, primarily, the Data Protection Officer (DPO) will have to drive against ‘GDPR fatigue’ inside an organisation. This article aims to support solicitors, who are appointed as DPO’s or who are contemplating to take up this role. Specifically, this article explores the potential conflict of interest between the roles of an in-house counsel and a DPO.

The GDPR acknowledges, at Article 38(6), that the DPO does not need to be a full-time officer, but may carry out “other tasks and duties” as well, as long as these “do not result in a conflict of interest”.

Primarily, interpretations of this legal provision have focused on how a leadership role in an organisation might fetter the independence of the DPO. For example, the Article 29 Working Party argued this restricted a DPO from also taking decisions as to the processing of personal data. Equally, the Bavarian court ruled that an IT Manager is conflicted when assuming the role of DPO on a part-time basis. Finally, as recently as May 2019, the Belgian supervisory authority held that under Article 38(6) the DPO may not delete personal data. Instead, any decisions regarding the processing has to be taken by the controller (in other words, another person in the organisation).

This approach is logical, given that persons in positions such as IT Management would determine the purpose, extent and aspects of processing personal data, and would be conflicted if they were also DPO. Similar types of conflict may also arise, for example, if the Head of Human Resources, the Head of Marketing and the Head of Customer Services was to be a DPO.

By contrast, a solicitor is not conflicted in quite the same manner. In-house counsel provide legal advice to the organisation they work for. As such, they are well-acquainted with the challenge of retaining independence in their work. So, how could a conflict of interest arise between the tasks and duties of a DPO and an in-house counsel?

Such conflicts become apparent when examining each role in greater detail. Firstly, the DPO could be conflicted by the tasks and duties of an in-house counsel. The latter is a legal professional and an officer of the court, and the role entails certain legal work as well as his or her duties to the client (the employer).

By contrast, the DPO does not have to be a lawyer, and owes “only” the common law duty to perform the role in a professional manner and in accordance with the law. Further, he or she may need a set of non-legal skills. According to the Data Protection Commission, these include, for example, an understanding of information technologies and data security, as well as an expert level of knowledge in certain specific IT functions. It is worth considering whether the duties of the practising solicitor may be extraneous duties, which according to the Bavarian court, the DPO should be free from.

Secondly, and possibly more importantly for our legal professional colleagues, the practising solicitor could be conflicted by the tasks and duties of the DPO. Article 38(3) of the GDPR requires the controller and processor to ensure that the DPO does “not receive any instructions regarding the exercise of those tasks” outlined in Article 39 of the GDPR. This legal provision must be read together with Article 39(1)(b) of the GDPR, which requires the DPO to “monitor compliance” and carry out “related audits”. Arguably, the duty to audit poses the biggest challenge to fulfilling both roles on a part-time basis.

By carrying out audits, the DPO is a collector and evaluator of facts, on the basis of which an assessment concerning the organisation’s levels of compliance can be made; and it is not up to the organisation to instruct the DPO as to these facts.

For example, an organisation may operate on the basis that personal data is deleted. It is the duty of the DPO to question and test this assertion. The DPO must check systems, verify if data was removed from back-up systems, search for lingering shadow data, examine whether anonymisation techniques are robust, and assess if the organisation inadvertently pseudonymised data. The DPO must, so to speak, look under the carpet, descend into the cellar and check the dusty cabinet for its contents.

In a noteworthy recent throwaway comment by an acting DPO, this role requires the appointee to ‘go forth and find trouble’.

By contrast, the in-house counsel wears the mantle of a practising solicitor, who is instructed. Such instructions may be challenged if not credible, by a practising solicitor would never have to audit the factual instructions from a client on his or her own initiative. To put it dramactically, a solicitor would never have to check an alibi for truthfulness or discover a true motive.

As a result, the in-house counsel may be conflicted if the DPO uncovered facts, which contradict the instructions of an organisation. For example, an organisation may instruct an in-house counsel that a batch of documents make up all of the material, which have to be provided to a data subject on foot of a subject access request, and prima facie, this instruction can form the basis of subsequent legal advice. By contrast, the DPO would have to audit how the search was carried out by the company at system level and make recommendations as to which type of further and additional searches may be necessary or desirable.

Due to the DPO role being a sui generis one, any audit reports would not ordinarily enjoy the protection of legal privilege. This may in turn force the DPO to be a witness to a court case the organisation is involved in, if compelled to produce the report in evidence. Such a situation would pose difficulties for the in-house counsel who acts as a DPO on a part-time basis.

Equally, the in-house counsel may have written to a party, negotiated an agreement, or provided advice to the organisation in question, based on a set of instructions. If then, as DPO, the same person discovers facts that contradict these instructions, he or she would have to switch back to being an in-house counsel, so as to revise the letter of correspondence, the agreement, or the advice given thus far. Switching such hats will have to be done carefully and the business will have to be aware when the individual is taking instructions and giving advice as an in-house counsel, which may be legally privaleged, and when the individual is acting as a DPO in the performance of these duties.

Considering the possible pitfalls, great practical care needs to be taken to spot the situations where conflict may arise. The questions is: How do you prepare in advance? Do you build yourself a play book? Do you create a manual, which describes your own role? Can you prove to the regulator that you have considered your own methodology of recognising and dealing with conflicts? Can you prove your own alertness? Can you prove a reported lack of conflict situations is not an indication that you were unable to identify and cater for these? Only when an in-house counsel is satisfied that these conflicts can be managed in the organisation they are in, should they seriously contemplate taking on the DPO mantle.

It may be useful to take a step back and review your current set-up. Do not feel alone: Article 38(6) explicitly places the obligation on the controller or processor (and not on the individual) to prevent a conflict of interest. As such, it is not just a matter of professional ethics and conscientious behaviour on the part of the in-house counsel and the DPO to wear both hats responsibly. Instead, the organisation should proactively place this issue into a broader operational framework, ideally relying on an external advisor to provide objective and neutral input, when appropriate. When done well, the result could be a practical how-to guide, which assists and protects both the individual as well as the organisation alike.

Author: Tanya Moeller, Associate, LK Shields Solicitors

© LK Shields 2019

This article was first published in the November 2019 edition of the Law Society Gazette.