The Article 29 Working Group, the predecessor of the European Data Protection Board (which is a body consisting of all the data protection regulators in the EU) has issued guidelines http://ec.europa.eu/newsroom/document.cfm?doc_id=44100 quite some time ago confirming that a Data Protection Officer must be independent in the carrying out of their functions. They must not take direction from senior management as the carrying out of their functions, nor may they be also fulfilling another role which might conflict with their role as Data Protection Officer. The Article 29 Group give a list of roles which it indicated would conflict with the independence of the Data Protection Officer.
These are senior management positions (such as chief executive, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of Human Resources or head of IT) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.
The Department of Social Protection became the subject of criticism when it emerged in July 2018 that in the absence of the then Data Protection Officer who was on leave, changes were made to the Privacy Policy of the Department. These were authorised by the Secretary General of the Department. Strictly speaking, the Data Protection Officer does not have to authorise the Privacy Policy, but they are obliged to monitor compliance with the GDPR.
More recently, the Department of Social Protection has now been subject to further criticism because the previous Data Protection Officer was removed from that role by the Department, and replaced with a colleague who also heads its Business Information Security Unit (BISU), which has been designated as the data controller for the Department. Clearly, the head of the controller cannot also be its Data Protection Officer.
We would suggest, with respect, that the current situation is untenable, and is likely to fall at the first challenge. It seems a clear example of the State misunderstanding its obligations under the GDPR.
We have seen this on many occasions, with State bodies appointing heads of IT, and heads of other business units to be the data protection officer. It is clearly still not understood within the State sector that the Data Protection Officer is more in the nature of an independent auditor, than an operational role on behalf of the controller.
It seems likely that the present stance of the State sector will lead to litigation. The Data Protection Commission has already taken an interest in this matter, but previous investigations by that body would not suggest that there will be an outcome from that investigation any time soon. However, this is not likely to be the Department’s main problem. Under the new principles set out in the GDPR that data subjects may sue for “non—material damage”, it is likely that any person who has concerns over the processing of the personal data in circumstances where the protection of the Data Protection Officer may be less than envisaged in the GDPR, could sue the Department.
Any claimant would not have to prove material damage of any kind. They would likely simply need to show that there had been a breach of their statutory rights in this regard and that this caused them some discernible level of distress.