Within the EUROPRIVACY #Ready4EUDataP workshop, held on january 26 and dedicated to the practical consequences of the new EU General Data Protection Regulation, I found a special interest in the topic concerning the role of the Data Protection Officer, discussed in the speech of Biagio Lammoglia with Fabio Guasconi. Various aspects have been taken into consideration:
DESIGNATION (art. 35 of the GDPR) – mandatory for public entities, conditioned by the presence of certain circumstances for private companies: systematic personal data process as core business (someone said BIG DATA?) or sensitive/judicial data large scale process. It will be crucial to see the translation of the terms used and what will be their interpretation in order to define the perimeter of the companies “forced” to appoint the DPO.
POSITION (Art. 36) – the role will have to be characterized by cross-disciplinarity, adequate financial resources, autonomy, protection, higher hierarchical level and absence of conflict of interest with any other roles of the same person. In my opinion such a configuration makes it extremely onerous to locate this position within the company. Consulting firms can therefore legitimately expect that the majority of companies, small and medium-sized at least, will prefer to rely on an external DPO?
TASKS (art.37) – The DPO appears to be vested with the responsibility of raising awareness (information and advice), control (supervise compliance, liability, training and auditing), strategic support (help PIA and risk assessment) and representation (in front of the DP Authority): all of these tasks are far from operating activities; it would then appear that the role of the DPO, as outlined by GDPR, takes the form of an eminently “oversight” professional (albeit apart from the Internal Audit), very different from those who have the responsibility to “implement” privacy.
It could therefore seem necessary to duplicate the positions: a DPO (as described above) and a distinct position, which could be called PRIVACY OFFICER, invested with all operational activities. It is clear that many companies will not like this redundancy, but it is hard to think that they can appoint only an oversight function (and then who does what has to be done?), or that the person can also assume operational duties (in that way he would control himself). Once again, one would think that the Privacy Officer is appropriately placed within the company, while the DPO would better be hired externally. But this may be an opinion overly influenced by the expectations of external consultants (which I happen to be…).
It will be interesting to follow how this matter will be discussed in Italy in the context of the UNINFO E14D00036 project, which has the task of issuing a UNI specification for the Professionals of Privacy, according to the 4/2013 law on non-organized professions and using the EU “e- CF” scheme (e-competence framework).