The data protection officer (“DPO”) is an essential component of a data privacy accountability framework, playing a crucial role in enabling organizations to ensure, and to demonstrate, data Privacy compliance. The role of the DPO is formally recognized and its responsibilities described in the General Data Protection Regulation proposed by the European Commission (the “Regulation”).
Contrary to the Commission’s and the European Parliament’s versions of the draft Regulation, the latest release of the text no longer requires companies to Designate a Data Protection Officer, leaving it to the Member States to decide whether or not to lay down this obligation.
This doesn’t change the relevance of this role within an organization and most probably the Member States will follow the Regulation “recommendation”.
The most common questions that the companies are facing are: which level of independency should be granted to the DPO? Where do we have to place this new role? In which business function? Should I create a new specific function?
It is necessary to understand that there is not a golden rule to follow to set up the DPO role so many companies are starting to evaluating how to address this requirement conducting organizational analysis to better understand where to collocate the DPO within their organizational structure.
There are two main drivers for the analysis that could be taken into consideration:
- geographical extension: the number of countries in which the Company operates has an impact due to the different regulations that the Company is required to abide by. It’s true that the Regulation introduces also the One-stop-shop mechanism (aimed to ensure that companies will only have to deal with one supervisory authority – the one where the Company Headquarter is located – instead of being confronted with potentially up to 28 national supervisory authorities) but being located in different countries, and transfer personal data among different countries, is for sure a complexity element that will impact in establishing a single Privacy framework within companies and will impact on Privacy Officer activities definition.
- organizational model: considering the DPO profile (he is expected to have IT, Legal and Compliance skills) the business functions that can be taken into consideration for the Data Protection Officer introduction are for example: the Legal and Corporate Affairs Department, the Compliance Department and the IT Department.
Each one of them has got pros and cons because wherever the DPO will be placed, for sure he will have a strongest focus for its own business function (e.g. A DPO placed in the IT will be probably focusing on security measures rather than legal requirements).
If the Company has a Corporate Compliance office, this could be the best department to choose, because it will grant an overall Privacy focus but and independency but, nevertheless, the DPO will need a strong support both from IT and Legal Department.
The Company can also evaluate to appoint as Data Protection Officer a third party. If so a point of contact within the organization has to be defined and the consideration made above are the same.