EU data protection law sets new requirements
The new EU data protection law, the General Data Protection Regulation (GDPR), which applies to all EU member states from May 2018, places new demands on data controllers, specifically Data Protection Officers (DPO) in companies.
A new era begins next May with the new EU data protection law, the General Data Protection Regulation (GDPR). The GDPR applies to all member states of the European Union (including the United Kingdom, before and presumably after Brexit). To date, there has been much discussion about fines and penalties for breaches, including up to €20 million or 4 percent of a company's annual global turnover.
Nevertheless, the requirement for the role of the Data Protection Officer (DPO) still seems to play a subordinate role in companies. "In the past, the role of the DPO was largely undefined, because the European data protection law that still exists stems from an EU directive from 1995, which does not yet take such roles and responsibilities into account to the same extent as in the GDPR," explains Michael Veit, IT security expert at Sophos.
New IT instances
In those days, data was seen almost exclusively in a "computing context" and the first people to be given the informal title of DPO usually had an IT background. They were the ones who could understand, identify and "protect" the flow of computer-driven data. Today, at a time when technology so dominates our lives, the role and task of a DPO has changed significantly.
Today, the DPO is the authority for data protection within an organization. The DPO must help a company or organisation to comply with its legal obligations - also with regard to respect for the privacy of private individuals.
It is generally about security and this includes not only the view of IT but also the expertise in legal, compliance or customer service and many more. To comply with the guidelines, the GDPR formulates the role of a DPO and also mandates their use in businesses and organizations. For example, all public bodies will mandatorily require a DPO to guarantee freedom of information or human rights.
This also means that in some circumstances even very small organisations or businesses may have a legal duty to have a DPO - for example local authorities or state schools.
But the role is also mandatory for those organisations whose core activities involve "regular and systematic monitoring of data on a large scale" or where core activities involve the processing of particularly sensitive data - for example, data relating to ethnic origin, religious beliefs, health, sex life or criminal convictions.
Useful guidelines
Certain and sometimes helpful guidelines have been developed by the Article 29 Working Party, a group of representatives of data protection authorities across the EU.
The GDPR describes structures (qualities and duties) of a DPO. The following qualifications are required:
- Possibility of "independent" action
- Independent of instructions from the employer
- Knowledge of data protection law
- Sufficient resources to fulfil the tasks
- Report directly to the highest management level
According to Article 29 of the Guidelines, in addition to the qualification of a DPO, no conflict of interest may arise.
Some roles in the company are incompatible with the DPO, including, for example, the CEO, CFO, head of marketing, HR or IT. Other guiding principles explain, for example, that critical "core activities" do not involve the processing of HR information within an HR department - any view to the contrary would result in every company, or operating department, needing a DPO.
