Examining the new EU data protection regulation
What companies need to know about appointing a DPO
By Dr. Annette Demmel, Squire Sanders | CFO UK | Published 15:08, 23 January 13
On 25 January 2012, the European Commission published a draft Data Protection Regulation, intended to replace the current regulatory framework. If implemented as drafted, this Regulation will have a major impact on all organisations based in Europe, or doing business with Europe.
In light of one of the most remarkable changes provided for by the proposed Regulation, businesses and organisations operating in the European Union could soon be searching for candidates for a new mandatory role of a Data Protection Officer (DPO).
Who needs to appoint a DPO?
Obviously inspired by the German data protection act (BDSG), the draft Regulation introduces on an EU level a mandatory DPO for the public sector, and, in the private sector, for enterprises (i) constantly employing more than 250 persons or (ii) whose core activities as a data controller or processor consist of regular and systematic monitoring of individuals.
While in the former case a group of companies may appoint a single DPO, in the latter case each group company needs to appoint its own DPO. According to the proposed Regulation, national regulators can impose fines of up to €1,000,000 or 2 percent of annual worldwide turnover, if a company fails to designate a DPO.
What is the DPO concept good for?
The basic idea behind the DPO concept is to enhance self-regulation in the field of data protection. The DPO – whether or not an employee of the company – shall serve as a knowledgeable contact person for the management, staff, supervisory authorities and the data subjects assisting the company to monitor internal compliance with the applicable data protection laws and regulations.
To this end, the DPO shall directly report to the company management and the management shall ensure that the DPO is properly involved in all issues relating to the protection of personal data and can perform the duties and tasks independently without receiving any instructions as regards the exercise of the function.
Moreover, the company shall support the DPO in performing the tasks and shall provide the necessary resources, such as staff, premises and equipment etc.
Appoint an internal or external DPO?
In order to qualify as a DPO, a person must have adequate legal, organisational and technical expert knowledge; the necessary level of knowledge is determined by the extent and nature of the data processing operations carried out by the appointing company.
Should a company choose to appoint an internal DPO, any conflict of interests that may result from that person’s other tasks and duties must be avoided. Therefore, a company’s current CFO or Head of IT, HR, legal or marketing functions are not suitable as the company’s DPO.
It is also worth noticing that the proposed Regulation requires organisations to appoint the DPO for a minimum period of two years during which they will have substantial protection from dismissal: in other words, the DPO may only be dismissed is if he or she no longer fulfils the conditions required for the performance of his or her duties.
It might, therefore, be preferable to appoint an external expert, in particular as the associated cost implications of training are not to be underestimated.
Core tasks of a DPO
While the general responsibility and task of the DPO is to ensure that the appointing company complies with the applicable data protection laws and regulations, the specific tasks that DPOs will have to deal with according to the draft Regulation particularly include:
- to inform and advise the company of its obligations (such as the requirements of data protection by design, data protection by default, data security and to the information of data subjects) and to monitor the implementation and application of the company’s policies in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits;
- to ensure that the mandatory documentation of the company’s data processing operations is maintained;
- to monitor the documentation, notification and communication of personal data breaches; and
- to co-operate with the supervisory authority at the latter's request or, if appropriate, on the data protection officer’s own initiative.
It will be interesting to see whether businesses in the EU will perceive the mandatory DPO concept as an administrative burden or as a beneficial strategic resource to their organisation.
The draft Regulation will now be considered by the European Parliament, as well as the Council of Ministers, giving significant opportunities to amend the draft. The likelihood, however, is that at least some of the basic proposals will be implemented, though they will not come into force until two years after the final Regulation is adopted.
Dr. Annette Demmel is a partner in the IP & technology department of international law firm Squire Sanders. She is a certified specialist for information technology law as well as copyright and media law. A key area of Dr. Demmel’s practice covers privacy and data protection law. She may be reached at - Annette.Demmel@squiresanders.com
Share:Facebook Twitter Google Plus Stumble Upon Reddit Share This Email this article
Examining how CFOs can improve the way they report back to the boardmore ..
Inspections are part of inquiry into anticompetitive practicesmore ..
EU wants US to address privacy concerns and EU citizens' right to judicial redressmore ..
The ICAEW calls on global authorities to work together on audit reformsmore ..
Litigation funding is a very useful tool for CFOs but not a panacea for all legal mattersmore ..
Corporate governance is a powerful tool in a C-suite executive’s arsenalmore ..