The EU Council’s proposal for the Personal Data Protection Regulation approved on the 11th of June makes the DPO no longer mandatory for anyone.
What did it mean for the DPO to be mandatory in the previous versions of the forthcoming Personal Data Protection Regulation?
The digital transformation, or however you may call the big changes in our lives that technology is forcing, widely consists in a much deeper relation between service or product consumers and suppliers. The digital technology becomes so intimate to the product or service that data, which such technology deals with, become part of the contract, shared between consumer and supplier, owned, or almost owned, by both. Data that more and more frequently are personal data: location, bood pressure, friends…
If consumers’ personal data become assets of the suppliers it seems quite reasonable that also the rights associated with those data become part of the supplier organization, which is also in its interest.
So DPO could be seen as a piece of the digital transformation that helps to make it sustainable, a consequence of the fall of the wall between supplier and consumer, employee’s personal life and his professional duties.
Maybe it was too much ahead. Maybe it was to expensive, or too difficult to be properly defined, to be sustainable as a cost but anyway it is difficult to remove the idea that this is a step back.
I would recommend companies to have a DPO in any case. It makes sense to have one. The company needs somebody to govern the data protection activities such as for example DP impact analysis and report to the authorities and to the board. The DPO shall be part of the incident management procedure and so on. The DPO is a good investment for compliance and data protection.