Category Archives: adequacy

There’s nothing like consistency

A tale of two Member States, and two supervisory authorities.

First, the Belgium Data Protection Authority is reported to have fined a controller €50,000 for, among other infringements, appointing its director of audit, risk and compliance as its Data Protection Officer (DPO). This was – the DPA appears to have said – a conflict of  interest, and therefore an infringement of Article 38(6) of the General Data Protection Regulation (GDPR).

Second (and bearing in mind that all cases turn on their specific facts), one notes that, in the UK, the Data Protection Officer for the Information Commissioner’s Office (ICO), is its Head of Risk and Governance.

Let’s speculate –

Are the tasks of a Head of Risk and Governance likely to be similar to those of a director of audit, risk and compliance?

Would the Belgium DPA take the view that its UK equivalent is infringing GDPR, by appointing as DPO someone in circumstances which create a conflict of interest? (ICO notably says “[In respect of the combined roles of] DPO and Head of Risk and Governance, the tasks and focus of each role complement each other, and do not conflict. Neither responsibility is focused on determining the purposes and means of processing personal data but are both focused on providing advice about the risks, mitigations, safeguards and solutions required to ensure our processing is compliant and supported by our business decisions“).

What view would the European Data Protection Board take, if asked to consider the matter under the GDPR consistency mechanism (for instance on receipt of a request for an Opinion, under Article 64(2))?

Does it matter, given Brexit?

And if doesn’t matter immediately, might the status and position of the ICO’s DPO be one of the factors the European Commission might subsequently take into account, when deciding whether post-Brexit UK has an adequate level of protection, as a third country?

No answers folks, just questions.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, Brexit, consistency, Data Protection, Europe, GDPR, Information Commissioner