Do you remember the old fashioned DPS (Documento Programmatico per la Sicurezza)?
When it was removed from the minimum required measures, the Italian Regulator didn’t mean that companies could abandon the analysis over the different kinds of data processing, the definition of the inherent risks and the measures to mitigate them. Actually, companies merely aiming to formally satisfy requirements made the equation that the abolition of a document would mean, for them, to possibly abandon the inherent underlying activities.
Do you remember the planned inclusion of privacy crimes among those ruled by the 231/2001 decree (Regulations regarding administrative responsibilities of corporate bodies of Companies)?
The privacy crimes were planned to be included into the catalog of the 231 law’s crimes, and in particular those related to the illegal processing of data, to the mendacious declarations to the Data Protection Authority and to the non-compliance to the Regulator’s Provisions. Although stated, this was never converted into law.
The same seems to be occurring to the DPO appointment requirement (art. 35) in the discussion for the approval of the new European Data Protection Regulation. Moreover a lot of statements detail the role, which competencies are needed for being appointed and the tasks to be accomplished, all of these in such a detailed way that the statement where the “shall” is substituted with ”may” appears paradoxical if all previous words spent to describe the requirements could be reduced simply to nothing. Moreover the minimal size for companies claimed to accomplish it, even after the amendment from “employing 250 persons” to “processing to more than 5000 data subjects”, seems culpably neglected.
This continuous restructuring and rethinking of the approaches, both at the local and at the European level, seems to aim at reducing responsibilities and the entity of requirements for companies processing personal data in terms of organizational and governance requirements. Is this really all there is to it?