In the last version of the Privacy Regulation, the DPO role is not compulsory but an option for Data Controllers.
The DPO is mandatory for all organizations of the European Union (agencies).
The last version of the Regulation made the certification an option. Organizations willing to be certified should appoint a manager to lead the project to obtain and maintain the certification.
Most of the certifications (for example ISO 9001) require some kind of internal auditing and usually this duty is assigned to the certification project manager (Quality Assurance Manager).
Compliance with laws and regulations is among the duties usually assigned to Internal Audit (see https://en.wikipedia.org/wiki/Internal_audit) and organizational indipendence and objectivity are cornerstones of the related professional standards.
Under the COSO enterprise risk management (ERM) Framework, compliance risks should be approached in the Risk Management framework with an holistic approach. So Privacy compliance should be approached by a Risk management perspective and more specifically side to side to Information Security Risk. In fact ISO 27002 clause 18.1.4 “Privacy and protection of personally identifiable information” deals with Privacy.
So we can summarize that in most cases, as an organizational role, the Privacy Assurance Manager (i.e. the project manager of Privacy certification) should be inside the internal audit and very close to the Chief Information Security Officer.
Regulation 45/2001 in Section 8 (article 24) prescribes that “Each Community institution and Community body shall appoint at least one person as data protection officer” to assure the enforcement of the Regulation itself in strict cooperation with the European Data Protection Supervisor (EDPS) instituted as an independent authority by the Regulation at Chapter V (art. 41) with powers close to those of Member States Supervisory authorities. “Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive” is the recital of art. 28 CHAPTER VI of Privacy Directive 95/46.
In fact the directive itself is not strictly applicable to EC bodies and the Commission decided to nominate its own Authority.
The same article . 24 of 45/2001 Regulation specifies the personal characteristics of the DPO, his/her organizational role, independence and duties and his/her relationships with the EDPS.
The EDPS has promoted the writing of a document that points out more precisely the independence and duties of DPOs and published it in his site.
Most of its content I feel is applicable to the DPO inside other entities: the qualification and independence apply to all organizations, while the relationships with the EDPS, or more generically the supervisory authorities applies perhaps only to public entities such as government, local authorities and public agencies.
The citizen can easily change one of its suppliers if is not happy about how it’s dealing with Privacy matters, but to change state you must relocate. So such non for profit entities should provide more protection to people and the DPO ability to put the attention of supervisory authority on his/her organization’s misconduct has more meaning. For profit organization can bankrupt because of heavy fines and bad judgment by their customers and a DPO should double think before becoming a whistleblower.
Article 22 of the new Privacy Regulation has a different wording in its version (Commission, Parliament, Council), but all speak about the fact that in at least some cases the data controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation.
The Italian adoption of the Privacy Directive (namely Dlgs. 196/2003) at art. 15 requires that the data controller should demonstrate in court that he/she made any reasonable effort to protect personal data (the so called “evil proof”).
I feel that certification is the best (and perhaps the only) viable solution to comply with Art. 22 of the new Regulation and the DPO (or a similar organizational role) is a (the best) way to achieve the certification.
I may sum up my point of view about the DPO role and independence:
- Certification is an option that has the benefit to satisfy art. 22 requirement (proof of compliance)
- DPO as a source of information and knowledge about Privacy
- DPO as an internal auditor about Privacy required by any feasible project to get a Privacy Certification
- DPO shall be independent and work within or in strict cooperation with Internal Audit and Information Security
- DPO of controlled legal entities should report to the DPO of the corporation
- DPO should be free to interact with Supervisory Authority in “non-for-profit” organizations