Data Protection Officers: towards a better data protection?
The Directive 95/46/EC gave European Union member states the possibility to introduce into their national law the appointment of a Data Protection Officer (DPO), but it is still optional. Today, the European Commission’s draft reforming the EU framework on Data Protection Regulation sets forward in art. 35 that the DPO role will be mandatory for personal data processing that affects large amounts of individuals (≥ 5000 data subjects in 12 months), location data or children´s data in large scale filing systems.
Within the organization, the DPO – aka data compliance officer or data privacy officer – supervises the compliance with the national data protection legislation and it is responsible for keeping a register of personal data processing implemented in the body. The DPO is also in charge of ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations. The statutory tasks and powers of the DPO give this officer an independent position in the organization.
In France, this role is assumed by the “Correspondant Informatique et Libertés” (CIL).The organizations that have a DPO, are exempt from registering data procession subject to reporting duties to the French supervisory authority (CNIL).
In Germany, it is mandatory for companies to appoint a DPO. The compliance officer can be held criminally liable when he fails to prevent a data breach that he reasonably has been expected to do.
In the UK, there is no requirement for organizations to appoint a data protection officer. Companies who have a DPO still have to register with the Information Commissioner’s Office (ICO). The data protection authority said that it doesn’t have any specific views about the appointment of DPOs.
At European level, the position of European Data Protection Supervisor (EDPS) was created in 2001. The responsibility of the EDPS is to make sure that all EU institutions and bodies respect people’s right to privacy when processing their personal data.
So, what should businesses do in order to prepare ?
Even if the draft Data Protection Regulation may not yet be adopted, many organizations are putting greater emphasis on data compliance and are hiring specialists to ensure they meet their information security obligations.
As privacy regulations become more and more complex, especially for large multinational companies, creating a position within a company, or requiring a company to hire an individual to serve in a role of this nature, seems to be the solution to monitor privacy and security. The current proposal states that this person should combine both technical and legal knowledge of data protection but the role can be played by one single individual or a team of internal and external professionals, under the supervision of the data protection officer.
Waiting for the DPO to be mandated sometime in 2016, the enterprises have to make sure that budget and planned financial forecasts for 2015-2016 include provision for compliance with the new law and it includes the appointment of Data Protection Officers.
Etudiante en Master 2 Droit de l’Economie Numérique à l’Université de Strasbourg.