We can go on discussing about the role and collocation of the Data Protection Officer within the company, considering the new European Privacy Regulation. And we will. But when Luca Bolognini takes a stand, then the chatter end.
Tuesday, 10/05 in Turin for the conference “The European Regulation Policy inside the Company” organized by Sistemi Uno, three hundred professionals and companies have benefited from speeches at the highest level. First speaker was Bolognini, which touched at bird’s eye 15 different relevant themes of GDPR, also saying some not quite obvious things. He made clear (I hope once and for all …) that the DPO is a supervision role, who does not apply the policy to the company and does not coordinate management activities. It will then need to be a different figure from the Privacy Officer, if already in the organization, but also from the “Data Protection Designer”, other role not required by the GDPR but which will become necessary if the Privacy by Design is to be properly applied .
Balboni has deepened the analysis: the DPO will be a non-partisan body, “in the the German style”, which will have control functions (even said “an auditor”). Balboni also introduced the concept of “DP OFFICE” seen as an interdisciplinary team that reports to the DPO and includes professionals of IT security, communications (useful eg. to manage data breach) and DP DESIGNER, figure that will be in charge of the DPIA according to risk analysis methods (ISO world has been mentioned). The privacy in the company will in fact always be more a process (and less and less a policy), for which it needs to be designed. It will also be necessary to have technological tools to collect documentary evidence on the base of accountability principles. According Balboni, it would be appropriate to place the DPO within the company (perhaps leaving the support team outside): in fact an external DPO, maybe not dedicated but shared by too many companies, it is likely to be poorly credible. In my opinion this is especially true for large multinationals, which are the type of customer to which mainly refer high level professionals like Balboni and Bolognini.
Back to the intervention of Bolognini, let me point out three others main points. DPIA: risk analysis should not be just “engineering matter” but also take into account the risks represented by the processing for the rights and fundamental freedoms, which are the real objective of data protection. Penalties: the most relevant ones are for the violation of the principles enshrined in art.5, unlike the current situation which sees sanctions for deficiencies in security measures. Finally, the vision that the new security measures (eg. Pseudonymisation) will result in opportunities for otherwise unlawful processing, allowing big data analysis without consent.