Is your CEO wearing too many hats? If one of those happens to be Data Protection Officer (DPO), your organization could be facing significant legal and compliance risks—as one company discovered after being hit with a €5,000 fine by Austria’s data protection authority (DSB).
The DSB penalized a company for appointing its managing director as its Data Protection Officer, highlighting a fundamental conflict of interest that violates core principles of the General Data Protection Regulation (GDPR).
“Appointing a CEO as DPO creates an inherent conflict where the same person determines how data is processed and simultaneously oversees compliance with data protection laws,” explains legal expert Tijana Žunić Marić from Žunić Law, who documented the case. “This arrangement fundamentally undermines the independence required of a DPO under GDPR Article 38.”
The ruling reinforces a critical principle in data governance: segregation of duties. Under GDPR, a DPO must operate independently, free from conflicts of interest that could compromise their ability to monitor compliance objectively.
This case serves as a warning to organizations that might be tempted to assign data protection responsibilities to executives who already determine business objectives and data processing activities.
Similar Conflicts in Cybersecurity Leadership
The same conflict of interest concerns extend to Chief Information Security Officer (CISO) roles. Many organizations still position their CISO under the Chief Information Officer (CIO), creating a problematic reporting structure.
Having a CISO report to the CIO creates a classic conflict of interest. The CIO is incentivized to deploy systems quickly and efficiently, while the CISO must ensure security—often requiring additional controls that may slow deployment.
Forward-thinking organizations are addressing this by having CISOs report directly to the CEO or board, establishing independence from the IT department they must oversee.
What This Means For Your Organization
If your company has assigned DPO responsibilities to a senior executive who also determines data processing activities, it’s time to reconsider this arrangement. The same applies if your CISO reports to your CIO.
Proper segregation of duties isn’t just about compliance – it’s about creating effective checks and balances that protect your organization and its stakeholders. As regulatory scrutiny intensifies, ensuring these key oversight roles maintain true independence has never been more important.