The legislation fixes the data protection as a general problem of high priority, and obliges organizations address data protection seriously and consciously, outlining the tools and strategies to get organized coherently and do their part to counter this risky situation. The GDPR defines an approach for the creation of a system in which information security is a default value, constantly maintained since from the design of a process, based on prevention and awareness. One of the main tools to govern this system is the Data Protection Officer – DPO.
According to the best practices, the designation of the DPO should be preceded by a careful analysis. This assessment should highlight the aspects related to responsibilities, conflicts of interest, costs and benefits.
The DPO, in fact, can not hold a position in the company which could lead him to a conflict of interests (GDPR Sect.4, Art. 38). In particular, he can not be responsible for activities that contribute to the definition and management of security policies on data processing. Therefore, he is not eligible to hold a role with direct responsibility on data protection policies.
The responsibility for the protection of personal data is on the Controller (GDPR, Art.24) and on Processor (GDPR, Art. 82).
The DPO must be a subject that possesses a high-level view. He can be an employee of the organization or an external regularized via a specific contract (WP29 Guidelines on Data Protection Officers, Art. 2.4).
However, the adoption of a DPO can depend on factors such as company size, the existence of the required skills already within the organization, the experience and the internal culture of privacy.
In healthcare companies of a certain size and in which there is greater culture and awareness on data protection, the choice of a Data Protection Officer must fall on any existing internal subjects, who possess the skills gained over the years in health care, and in possession of specific certifications for the government of data protection.
The DPO is a significant actor that performs multiple functions (GDPR, Art. 39):
– inform and advise the actors who perform the treatment of their obligations in data protection;
– monitor regulatory compliance, in particular with GDPR and specific rules on personal health data;
– activate the Controller and Processor to perform Data Protection Impact Assessment and monitor the performance (GDPR, Art. 35);
– cooperate with the Data Protection Supervisor: the DPO is the interface to request official opinions and reporting data breach.
DPO plays in a strategic position: he must be an authoritative figure who must inspire confidence within the company and externally. Not a mere figurehead, but an actor prepared able to understand regulations and technologies, with long experience and able to know relate properly: a key player in the growth of the organization.
The cost of a Data Protection Officer in an healthcare organization can start from 80,000 EUR / year, plus any resources needed for its sustainability within the company. To perform its tasks, in any case the DPO will exploit the existing resources.
Not to define the DPO involves penalties of up to 10 million eur (GDPR, Art. 83 paragraph 4).
Despite not having a direct responsibility for the management of data protection policies, it is very likely that the DPO owns a civil and contractual liability towards the company on which it depends, because the activities provided by him have direct impact on the processes and the general degree of compliance.
Anyway, it’s impossible to acquire the skills of a DPO with a three or four-day training course. So, the health organisations must choose this actor knowingly.