DPO and organizational models in the company

By | Thursday January 26th, 2017

By 25th may 2018, the controller and the processor, as required by Article 37 of the GDPR – General Data Protection Regulation, shall designate a data protection officer in three specific cases:

a) where the processing is carried out by a public authority or body;
b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
The article 29 data protection working party has adopted in 13 december 2016 the guidelines on data Protection Officers (‘DPOs’).

The guidelines deepen the cases of mandatory appointment of the DPO, the concepts of “core business”, “large scale[1]”, “regular and systematic monitoring”, “conflict of interest” as well as the skills and knowledge that the professional role of the DPO must own.

Article 37(5) of the GDPR, provide that the DPO “shall be designated on the basis of professional qualities such as: expertise in national and European data protection laws; knowledge of business sector and of the organization of the controller; knowledge of the internal process, as well as the information system, and data security and data protection needs of the controller; integrity and high professional ethics. It is important to remember that the Charter of fundamental rights of the European union on the article 7 (1) states: “Everyone has the right to the protection of personal data concerning him or her”.

The DPO will be supported by an organizational structure will help him in compliance to the GDPR in absence of conflict of interest; The WP29 identifies the conflicting positions such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments.

For the companies the designation of the DPO and the supporting structure, it will represent a cost and a complex organizational fulfillment.

The big companies has sufficient economic resources and skills to provide an ad hoc office for DPO and also human resources with specifical skills in risk management, legal, organization, process, data security etc.

DPO’s office will be only committed to verify the compliance with the GDPR. (In the Table 1 an example of an organizational chart with DPO in a big company). While, in this type of companies, there will be also more operational structures, which will address the practical implementation of regulatory obligations imposed by GDPR, which we conventionally call structure of the Privacy Officer (for example: drafting the privacy policy, drowing up contracts with external processors, carrying out a data protection impact assessment etc.)

It’ is important to remember that medium to large companies have already internal human resources with skills in risk management, legal, IT, etc., even if not specialized in data protection. A second organizational model that I believe will be adopted in many medium/large companies will be based on a concept of independent DPO, who along with a small number of staff, in carrying out its activities, will rely on the support and collaboration of the various offices – compliance, legal, security, iT, internal audit – which for different reasons and level will contribute to the full respect of the GDPR’s principles. Especially in the early stages of implementation of this new organizational model, the DPO can also secure the continued support of an external consulting firm, to which you can refer so that we can strengthen oversight of compliance with the new Regulation. (In the Table 2 an example of an organizational chart with DPO in a medium/large company).

In addition, the function of the DPO can also be exercised on the basis of a service contract concluded with an individual or an organisation outside the controller’s/processor’s organization. It is possible that the service is provided by a well-structured consulting firm or by a group of professionals who join individual skills within a TEAM so that they can follow their customers efficiently.

For the Italian industrial context implement one of the organizational models proposed above will represent a “utopia”. About 90% of Italian firms in fact, has a number of employees below 10, and only take on the burden of a qualifying asset as a DPO would present the costs are too high for many of these. From this point of view, in the proposed EU data protection regulation, it was reasonably expected that only companies with more than 250 employees would be required to appoint a DPO. This size limitation does not appear in the final version of the GDPR. I think it is important to increase the debate which concerns the application of GPDR in SMEs; The New Data Protection Regolation it may involve some unsustainable compliance costs for this type of business. However, many SMEs may have a hard time staying on the market, especially if strongly linked to large companies that will demand compliance to GDPR, especially in terms of security.

Conclusions

The evolution of the European regulations on privacy, the impact of the same on almost all business areas, increasing the utilization of data for operational and commercial purposes by companies. This requires companies to equip itself with a current organization commensurate with the complexity of the activities carried out. The figure of the DPO will be essential for compliance with European Regulation and to spread the culture of data protection in the enterprise. In an increasingly highly interconnected world, respect for privacy principles may represent a significant competitive factor for many business realities, and for some of them an essential element to continue to stay on the market. However, it is undeniable that the greater organizational complexity of GDPR will lead to increased costs and, for small and medium-sized enterprises this may prove unsustainable.

[1] for the WP29, companies such as insurance companies, banks, hospitals, telephone or internet service providers, process data on a large scale and then will provide to designate a DPO.

6 thoughts on “DPO and organizational models in the company

  1. silvia stefanelli

    bellissime le tabelle
    grazie

    concordo pienamente su un punto.
    il vero problema per le azienda piccole che devono avere il DPO (o in generale rispettare il Regolamento) non saranno tanto i controlli del Garante (che comunque ha risorse ed energie limitate) quanto essere adempienti sotto il profilo contrattuale alle richieste della grande azienda con cui lavorano (cioè rapporto titolare – responsabile) .
    segnalo sul punto che sono state di recente pubblicate dell’autorità Garante spagnola Linee guida per il contratto tra Titolare e Responsabile

    sotto il link
    https://www.agpd.es/portalwebAGPD/temas/reglamento/common/pdf/directricescontratos.pdf

  2. Alessandro Crepaldi Post author

    Grazie molte Silvia per il commento e per le tue osservazioni che condivido pienamente. Prezioso documento quello da te segnalato che leggerò con interesse.

  3. paolo calvi

    Concordo con la conclusione del post (e con le osservazioni di Silvia): la vera “autorità” sarà il mercato, in particolare per quelle PMI che dovranno interagire con “aziende di grandi dimensioni che pretenderanno il rispetto di quanto sancito dal GDPR”. Da questo punto di vista l’adozione di codici di condotta suggerita da Fumagalli (https://blog.europrivacy.org/it/2017/01/25/a-sustainable-and-effective-privacy-for-smes/) è certamente d’aiuto ma non risolve il problema della contrattualistica.
    Aggiungerei che il tema è già di attualità oggi, ad esempio per una piccola azienda italiana che sto seguendo, fornitore di una grande azienda tedesca: il cliente gli sta chiedendo OGGI come mai non hanno un DPO!
    Interessante anche il documento spagnolo. Attenzione, per chi non mastica il castigliano, che quello che loro chiamano “Responsable” è il Controller (il nostro Titolare) mentre il Processor (il nostro Responsabile) lo chiamano “Encargado”.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.