What a Data Protection Officer means for an Organization
As mentioned in yesterday’s post “Video: How to protect your offline and online privacy“, E-Crime Expert is presenting today what a Data Protection Officer is, what are his/her duties, why he/she is useful in an organization, how he/she can help protect your business, clients, private information, intellectual property.
The protection of personal data and private information is important for both: individuals and Organizations. For these reasons, E-Crime Expert is presenting today what a Data Protection Officer (DPO) is, does and how he/she could protect your Organization (costs savings, legal requirements, etc).
While the American Chief Privacy Officer (CPO) has no formal or legal existence, the European DPO gets his rights from law. In Germany a DPO is mandatory, whereas companies in France, Luxemburg, Netherlands and Sweden have the choice to appoint one. In other countries there is no legal existence yet, but having an official person in charge has proven to be effective in order to solve privacy issues.
I. Usefulness for organizations and sectors
Self-regulation and the integration of supervision into normal business operations contribute effectively to the achievement of improved privacy protection. The data protection officer is an expert point of contact for the controller. He is also able to act as a contact person for people whose personal data are being processed. These individuals might be customers, employees or patients. The data protection officer increases privacy-awareness within the organization.
Reason for DPO
i. Awareness will increase when a DPO is appointed
ii. The amount of unauthorized processes will decrease dramatically
iii. “Professionals” are able to do their work more efficiently in close cooperation with DPO
iv. The corporate image will be very positive by appointing a DPO
v. By reducing “organization incidents” the cost for the DPO could be a profitable investment.
i. Advice, helpdesk, service, maintenance, knowledge and practical experience
ii. Document security
– Document shredders
– Archive shredders
– HDD shredding solution
iii. Post room solutions
– Folding machines and letter inserters
– Letter openers
– Paper cutters
– Other paper handling equipment
-Access card/id card
v. Takes care for internal supervision of privacy data processing
vi. Is responsible for a public register with processing reports
vii. Conducts systematically research
viii. Offers privacy to data processing
ix. Security of privacy data
x. Takes care for internal and external complaint mediation
xi. Helpdesk for privacy applications
xii. Advises concerning privacy data security
xiii. Initiator of annual privacy audit
xiv. Conducts regular campaigns to improve internal privacy awareness
Duties and powers
The data protection officer should be a “natural” person. As such, a works council or committee will not be eligible for this position. The data protection officer must possess the knowledge required, i.e. a knowledge of the organization, the data processing occurring within the organization, the interests involved and, of course, a knowledge of privacy legislation. In addition to the above, the data protection officer must be reliable. This reliability is reflected in the obligation to observe secrecy and the ability to balance against each other the various interests involved and to do so from a position of independence. The data protection officer has the authority to enter various areas, investigate cases and request information and access to information.
The data protection officer’s activities will include:
- the collection of data processing inventories
- the administration of data processing notifications
- the handling of complaints
- the preparation of annual reports
- fulfilling the formal obligations (i.e. preparing forms)
- the provision of information
- the development of internal regulations the provision of advice on technology and protection
- the DPO shall ensure that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.
- the DPO shall raise awareness on data protection issues and encourage a culture of protection of personal data within his/her organizations. Controllers shall be informed of their obligations and data subjects shall be made aware of their rights.
- ensure that controllers and data subjects are informed of their rights and obligations pursuant to the EU Data Protection legislation
- training of staff members and controllers;
- making the register accessible also in electronic form as a tool to ensure transparency as regards the processing operations in place in the organization.
- the DPO give assistance to the controllers in notifying processing operations, which may also be formalized in the organization’s rules
- the DPO make recommendations for the practical improvement of data protection to the organization and advise the controller concerned on matters concerning the application of data protection provisions.
- communicating with the Data Protection Authority and discussing any issues
What skills does a Data Protection Officer need to have?
A Data Protection Officer should be able to expertly carry out his/her office. In particular, this makes it necessary for the Data Protection Officer to be familiar with methods and techniques of automated data processing and to know about the legal and business issues. A Data Protection Officer especially needs to understand the organization of the business and its roles. This includes an understanding of all specific business tasks for which personal data is processed.
Independence of the Data Protection Officer
In order for a Data Protection Officer to perform his/her duties in compliance with the law, he/she must be independent in terms of making decisions about and evaluating circumstances.
Reliability of the Data Protection Officer
In addition, only those persons may be appointed as a Data Protection Officer who exhibit the necessary reliability to carry out their office. Reliability as a concept includes the ability to work under stress and learn quickly, being loyal and conscientiousness, and having a diligent and thorough work style. The term reliability also refers to compatibility between the Data Protection Officer’s task and his/her other primary and secondary duties.
Which professions involve a conflict of interest?
Legal scholarship considers some professional groups to have a potential conflict of interest that places in doubt the independence of the Data Protection Officer and hence his/her ability to work effectively. The prevailing opinion is that members of management, owners of a company, data processing and human resources managers, and IT administrators are should not be appointed as Data protection officers. For these reasons, appointing close relatives of management and similar persons should be avoided.
Which persons can be considered for the position of an Internal Data Protection Officer?
Employees in the audit department, legal department, and organizational department can be appointed as a Data Protection Officer unless there is a conflict of interest. A director from the internal audit department and data processing audit department are generally considered suitable for the position in the literature.
Avoiding conflicts of interest by using an External Data Protection Officer
An internal conflict of interests can be avoided in practice by appointing an External Data Protection Officer.
Advantages of an external Data Protection Officer
Most companies prefer to appoint an external Data Protection Officer for reasons of liability, qualifications, employee participation, termination and costs.
Position in relation to the controller
The data protection officer should be able to perform his duties independently. Independent supervision means that the data protection officer holds a staff position, preferably allied to management within the organisation and certainly not isolated from it. The controller makes it possible for the data protection officer to perform his duties properly. The recommendations made to the controller by the data protection officer are not binding. However, the data protection officer may not be prevented from carrying out investigations. A data protection officer enjoys the same protection against dismissal as that offered to members of a works council.
Position in relation to data subjects
A data protection officer’s set of tasks may include dealing with complaints on the use of personal data. A data protection officer may provide information on data processing within a particular company or sector.
II. Sources of information of the DPO
Implementing rules are also a tool to formalize the cooperation with the DPO within the organization, notably with:
-Internal Auditor, IT services, Local Information Security Officer (LISO) may request DPO’s observations and conversely;
-the DPO should be informed / consulted before any opinion, document or internal decision on matters related to data protection provisions is adopted by his/her organization.
-the DPO should be informed when the controller receives a request for access, rectification, deletion, etc., as well as of any complaint related to data protection matters.
Role and duties of the Controllers
-every controller concerned shall be required to assist the Data Protection Officer in performing his or her duties and to give information in reply to questions
-controllers should give prior notice to the DPO of any processing operation.
-processing operations should be notified sufficiently well in advance to allow for prior checking by the DPO.
-any change in the processing implying personal data should be notified promptly to the DPO;
-controllers should cooperate with the DPO to establish the inventory of processing operations;
-where appropriate, controllers should consult the DPO on the conformity of processing operations, in particular in the event of doubt as to conformity;
-controllers should prepare notifications to the DPO for all existing processing operations which have not yet been notified;
-in case the controller outsources part(s) of the processing operations to a processor, the DPO should be informed and asked for his/her advice in this matter.
Rights of the data subject
-data subjects should be properly informed of the processing of their personal data in compliance with the EU Data Protection legislation.
If you need the service of an external Data protection Officer contact: firstname.lastname@example.org
Any questions about Data Protection Officer can be submitted to: email@example.com
Additional information can be found at: www.e-crimeexpert.com
Did you know what a DPO is? Do you work with a DPO? Are you a DPO? Would you consider hiring a DPO?
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.