In a decision that has somewhat shaken up the GDPR community, the Belgian DPA imposed a fine of Euro 50000/- on a Data Controller who had appointed the Chief of Legal compliance as a DPO. The DPA ruled that there was a conflict between the two roles. (Refer here)
The Compliance officer is normally considered reliable for the legal knowledge as well as an attitude of compliance more than some other designations such as CTO or CISO or even the CRO or HR head. If the DPA considers that “Legal Compliance” is in conflict with “Data Protection Law Compliance”, there is an important message that we need to understand.
“Personal Data” is part of the “Total Data” that an organization manages, and the CISO is in charge of protecting that “Total Data” and the Compliance official is in charge of complying with all laws that relate to the “Data”. However this ruling appears to suggest that there could be lack of focus if a legal professional embroiled in litigations or contract drafting etc is expected to be able to manage the complexities of the Personal Data Protection.
The undersigned has often equated “Personal Data Management” as some thing similar to “Hazardous Inventory management” and always suggested that the skills and effort required to handle personal data are highly specialized.
To understand this further, we can also look at the role of the “Bomb Disposal Squad” which is often called upon to remove and investigate any suspicious looking bag in which there may be round heavy object or from which some clock sound is coming out.
In the normal course any body can open the bag and check. But the sensitivity associated with the probability that the object may be a bomb requires that an ordinary person cannot be given the responsibility for clearing the suspicious object.
If an officer of the Corporation knowing the circumstance orders some garbage removal employee to dispose of the bag, even if nothing untoward happens subsequently, the Corporation can take disciplinary action against the Officer for endangering the community and the individual himself.
We should therefore understand that the DPA of Belgium perhaps had a reason to take what appears to be a harsh decision and has sent out a loud message to all organizations to consider both the Knowledge and capability as well as the conflict situation before designating some body as a DPO in their organization.
The same is true for the Indian scenario also.