A conflict of interest - Privacy vs. Privilege
Nader Henein
Gartner VP Analyst - Data Protection and AI Governance - FT 100 BAME IT Leader
A little over a month ago I read an exceptionally well researched paper(1) on the tension between the CISO and their general counsel, and how that tension undermines cybersecurity.
The paper illustrates what happens when a cyber incident occurs, and how legal take over to ensure that the findings are covered by privilege, thereby limiting what may be available to plaintiffs at a later stage through discovery. This opacity in the ensuing investigation means that CISOs will not get the information they need to adequately and expeditiously mitigate against similar incidents.
The paper helped me crystallize a concern which I have been nursing for quite a bit of time regarding privacy officers and their reporting lines.
More often than not, an organizations chief privacy officer (CPO) as well as their data protection officer (DPO) report into legal. In many instances, they are corporate lawyers themselves, sitting in the legal department.
One of the primary duties of counsel is to protect the organization from fines and litigation, so does that undermine the DPOs responsibility towards data subjects and could it be viewed as a conflict of interest under the GDPR?
On February 9th, the Court of Justice of the European Union (CJEU) ruled(2) on an Article 38(3) case. The court stated that DPOs should “be in a position to perform their duties and tasks in an independent manner”.
Fundamentally, a data protection officer reporting into general counsel may find themselves in an impossible position were protecting the privacy of their data subjects is a career limiting move as the person to whom they report is incentivized on limited of fines and litigation.
Would it be adequate if organizations established strong policies and procedures to handle conflicts and minimize their potential impact? That is yet to be seen.
领英推荐
In the meantime, organizations should put more effort into separation of duties as well as reporting lines to ensure that DPOs are able to “perform their duties and tasks in an independent manner”.
For more Gartner blog posts from Nader Henein, click here
For more Gartner blog posts on privacy, click here
1 How privilege undermines cybersecurity by Daniel Schwarcz, Josephine Wolff, and Daniel W Woods
2 Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 38(3) – Data protection officer – Prohibition on dismissing data protection officer for performing his or her tasks – Requirement for functional independence
3 Article 38, Position of the data protection officer
Decode CJEU, EDPB & DPA news | International speaker | Grumpy GDPR podcast | DPO Hub & NoTies Community | Not daily on LinkedIn & no app, email if urgent
6 天前You were spot on regarding "career limiting move" Nader, the ???? DPA raised exactly this in the record NOK 4m DPO fine case (initally flagged as 99m!): https://www.dhirubhai.net/posts/riealeksandra_norway-dpa-telenor-asa-dpo-fine-official-activity-7307421594790850561-i8lF All in all, they "strongly doubted" an in-house associate lawyer could also act as DPO.