What hat do I wear today? When DPO and Compliance Officer are the same person Carlos Díaz Alsina DPO Triodos Bank, NV, Spanish´s Branch, Compliance Officer
Not all organizations have the size and resources to appoint those officers for each specific risk, so in risk management you can find that the same person shares one of the most common roles: Compliance Officer, Anti Money Laundering ( AML ) Officer, Operational Risk Officer, Data Protection Officer ( DPO ) , General Counsel , Chief Risk Officer, and even in some not highly recommended cases, as detected the Belgian Data Protection Authority, Internal Audit.
This causes us to take a large hat dresser to work and put on the appropriate one depending on the role we are playing at the time. When business unit ask us: Can I bring this or any other product to market? With my Compliance hat I say you have a risk of such regulatory, with operational hat that how you guarantee the continuity of the service, with DPO hat how you guarantee confidentiality, as General Counsel to what licensing laws are necessary, etc.
All these challenges for risk managing are compatible and help the company from several perspectives to achieve a common goal: mitigate the risks of the company, goes in the same track.
However, what happens when we ask ourselves those questions (challenge) for having different roles? Well, simply, we become Judge and party, we would have a conflict of interest that would avoid us from acting objectively and in defence of the interests of the company and other stakeholders.
I will now refer to the specific case of the Compliance Officer and the DPO, regarding the recent resolution of the Belgian Data Protection Authority  that imposed a sanction on a company in which the Compliance Officer , DPO and Internal Auditor were the same person, in all these cases as Head of their respective areas.
- DPO and Compliance Officer. Compatible roles
Both Compliance Officer and DPO have the opportunity of exercising different functions, article 38.6 of the European Regulation 679/2016 GDPR allows it in the case of the DPO and in the case of the Compliance Officer, although its regulation is more spread, in general it allows this compatibility. For example, for the securities markets, ESMA, in the recent revision of June 2020 of the Guidelines on certain aspects of the MIFID compliance function requirements ( ESMA35-36-1952), warns that exceptionally the compliance function can have other control functions, such as anti-money laundering, on condition that that this does not compromise the effectiveness of the compliance function.
DPO and Compliance Officer have more in common than of separation, both can exercise various functions (and indeed that often happens to us in practice), both must base their approaches based on regulatory risks, they should guarantee the independence in their decisions, they must evidence technical knowledge, continuous training and experience , they must be provided with enough resources for their work, access to senior management, which they must advise with complete independence… And why not say it, both must be presumed to be honourable and exemplary within the company, since compliance and protection of personal data have a very pronounced ethical component, regardless of the regulatory one.
This ethical component is seriously affected by the existence of potential conflicts of interest when one function is controlling and monitoring the other one, just simply changing its hat. Moreover, it would damage the objectivity and independence in these functions.
Both RGPD and ESMA emphasize that conflicts of interest should be avoided and that, therefore, the person who performs both functions cannot be involved in the execution of the activities that they monitor.
- Resolution 18/2020 of April 28 of the Belgian Data Protection Authority (DPA)
The case in question referred to a company in which the Compliance Officer, the DPO and the Head of Internal Audit were the same person without, it seems, there was a clear internal delimitation of the situations in which they could occur conflicts of interest
Nowadays, within the risk management models, the three lines of defence model imposes the separation between: business areas (1st), risk and compliance management (2nd) and auditing (3rd) , so perhaps companies of greater size or belonging to regulated markets assumed that is not allowed mixing 2nd and 3rd line. In this case, Resolution 18/2020 was not a great surprise.
But for me it is relevant and very accurate the vision of the Belgian DPA in distinguishing possible conflicts of interest within this 2nd line of risk management, which often go unnoticed, by combining the functions of these roles, fully compatible, without taking certain safeguards.
When DPO and Compliance Officers relays on the same person and monitor themselves, they fail to comply with the necessary independence and objectivity that should be key pillars in their respective functions. When they are also Head of the respective areas monitored, with possibility of decision on resources managing and processing of data in their areas, in fact there is a true conflict of interest between the two roles.
- Recommendations to avoid conflicts of interest.
Yes, we can put ourselves several hats on our daily challenges (if possible, without crossing the lines of defence) however, we must avoid conflicts of interest that are generated by combining several functions. So, collecting and based in the recommendations of the Belgian DPA, to avoid conflicts we could:
- identify the functions in conflict;
- establish internal rules for this purpose,
- include a more general explanation of conflicts of interest in internal policies;
- declare that the DPO has no conflict of interest regarding its role as DPO, in order to raise awareness of this requirement (in control statement that is also valid for other roles such as Compliance Officer);
- provide guarantees in internal regulations, evaluating the different actions to be taken depending on whether the DPO function is exercised internally or externally.
 Chambre Contentieuse, Décision quant au fond 18/2020 du 28 avril 2020 Dossier number: AH-2019-0013 https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Beslissing_GK_18-2020_FR_.pdf