News

12.11.2024

Data Protection and Conflict of Interest

The role of the Data Protection Officer (DPO), or Encarregado de Dados, is critical to fostering a culture of privacy and data protection in organisations. Given their unique position, DPOs must have independence, autonomy, and direct access to senior management to fulfil their duties effectively. However, as organisations seek to optimise resources, the possibility of role accumulation often arises, whereby a DPO might take on additional responsibilities within the company. This raises significant questions around conflict of interest, particularly as data protection regulations continue to evolve in Brazil and globally.

At the heart of the conflict of interest discussion is whether a DPO can genuinely remain impartial when their role intersects with other business functions, especially if those functions might impact or influence data privacy policies. The recent Resolution CD/ANPD No. 18 issued by the National Data Protection Authority (ANPD) addresses this, setting out guidelines to help organisations navigate potential conflicts. This resolution marks an important regulatory advance, as it brings clarity to the DPO’s role, stipulating that while additional roles may be permissible, they should not interfere with the DPO’s duty to protect data and advise on privacy-related matters.

In the private sector, this discussion aligns with broader corporate governance principles, where independence and unbiased judgement are crucial. Under Article 115 of Law 6.404/76, which governs corporate entities in Brazil, a shareholder’s voting rights are limited when exercised with intent to harm the company or its stakeholders. By extension, this principle supports the argument that a DPO’s responsibilities should remain free of any organisational influence that could impair their ability to protect data effectively. This standard also helps reinforce the DPO’s role as a neutral advisor who can engage in decision-making processes without undue pressure.

In the public sector, conflict of interest is addressed under Law 12.813/13, which defines such a situation as one in which a public official’s private interests may improperly influence their official duties. Applying this principle to the DPO’s role underscores the importance of maintaining clear boundaries between their responsibilities and any personal or organisational interests that could impact their judgement. As the DPO role becomes more embedded in Brazilian companies, the need for such clear demarcations grows, especially as privacy becomes a more central aspect of governance.

Resolution CD/ANPD No. 18 includes provisions that ensure a DPO’s technical autonomy, granting them direct access to the organisation’s top decision-makers and thereby reinforcing their ability to make independent recommendations. However, recognising that organisational structures vary widely, the ANPD’s framework allows flexibility for the DPO to accumulate other roles, provided no conflict of interest arises. This flexibility enables organisations to tailor the DPO function to their specific governance needs without compromising privacy principles.

To further mitigate conflicts, organisations may appoint an Alternate DPO in cases of absence or potential conflict, establish a Privacy Committee that supports the DPO, or even opt for an external “DPO as a Service” arrangement. These alternatives provide the support structures needed to allow the DPO to remain impartial and effective, particularly in complex or highly regulated environments.

In practical terms, managing conflict of interest involves assessing three primary risks: ensuring that data protection takes priority when competing with other DPO responsibilities, evaluating the DPO’s influence within the organisation, and providing adequate resources for the DPO to perform their duties effectively. This holistic approach ensures that privacy is given the prominence it deserves in decision-making and is protected from any organisational pressures that may compromise its integrity.

When a potential conflict is identified, organisations should reassess the DPO’s placement, particularly if they are involved in departments where strategic data processing decisions are made, such as HR, Finance, or Auditing. In such cases, safeguards such as clear role definitions, transparent reporting lines, and regular conflict assessments are crucial. The failure to address these conflicts proactively could expose the organisation to regulatory scrutiny and potential penalties from the ANPD, highlighting the importance of these preventive measures.

Documenting potential conflicts is an essential best practice. By identifying roles or responsibilities that may be incompatible with the DPO’s duties, organisations can proactively manage these conflicts. For instance, if a DPO holds an additional role in a high-stakes department, the organisation may wish to clearly document this arrangement and outline any steps taken to mitigate potential conflicts. This documentation should extend beyond senior management roles to include lower-level positions that might still have an impact on data processing practices.

Another key consideration is transparency in organisational policies. It is advisable for organisations to include conflict of interest guidelines in their internal policies, which should detail the actions taken to avoid conflicts, as well as the consequences for failing to comply. Ensuring that the DPO’s employment contract includes safeguards against unwarranted dismissal is equally important, protecting the DPO from retaliatory actions that could arise from performing their duties objectively. These measures provide the DPO with the security needed to carry out their role independently, strengthening the organisation’s data protection framework.

Effective conflict of interest management also contributes to a wider culture of data protection within the organisation. By recognising the DPO’s role as a long-term advisor on privacy matters rather than a temporary project lead, organisations can integrate privacy more deeply into their core operations. The ANPD’s regulatory guidelines promote this by encouraging organisations to establish educational campaigns, conduct regular privacy committee meetings, and document all actions taken, further embedding privacy in daily operations.

In summary, while the accumulation of roles by a DPO may offer flexibility, it must be accompanied by a rigorous and ongoing conflict of interest assessment. Implementing comprehensive safeguards to protect the DPO’s independence, such as transparent documentation, cross-functional privacy committees, and direct reporting lines, strengthens the DPO’s advisory capacity and reinforces the organisation’s commitment to data protection. These proactive measures not only enhance the DPO’s function but also reflect an organisation’s dedication to maintaining high standards of governance and regulatory compliance, ensuring that privacy remains a priority in an ever-evolving data landscape.

Article provided by INPLP member: Patricia Peck Pinheiro (Peck Advogados, Brazil)

 co-author: Cecilia Castro

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)