It seems that with every passing week, people are becoming more aware of both the threats to their data privacy and the rights they have under the UK’s data protection laws. In response, many organisations are putting greater emphasis on data compliance and are hiring specialists to ensure they meet their information security obligations.
The European Parliament recently encouraged firms to hire such specialists – widely known as data protection officers (DPOs) – in preparation for the new EU data protection directive, which is still in the drafting stage.
The primary job of the DPO – AKA data compliance officer or data privacy officer – is to ensure an organisation’s use of data is compliant with legislation. In a recent job ad, bagless vacuum pioneer Dyson said it wanted its DPO to “achieve efficient management of Dyson information, while optimising its effectiveness and maintaining compliance with global information-related laws and regulations”. British Gas, meanwhile, is on the hunt for a DPO who “will provide pragmatic and commercially-focused privacy and data protection advice across British Gas and Centrica”.
Daniel Pradelles, HP’s privacy officer EMEA, explained that his role involved liaising with several different business functions internally, as well as regulators externally.
“Each of HP’s three privacy officers (one for each region), is in charge of internally managing a team, and ensuring that the marketing, product team and developers are adhering to the law, and to HP’s policy in terms of data protection and privacy. Externally, I have to be in touch with all of the regulators in Europe – with the European parliament in Brussels and the local regulators in France and the UK,” he told Computing.
But Pradelles believes that current EU legislation should be harmonised, as currently there is too much variation in the way it is implemented.
“The way the current [data protection] directive is implemented in the UK, France, Germany and Italy is very different. Not just from a conceptual point of view, but in practice,” he said.
The EU is pushing through a new directive to strengthen privacy for Europe’s 500 million citizens.
The latest proposal is for the DPO role to be made mandatory for any legal entities that process data on more than 5,000 individuals per year. Currently, companies in many EU countries are encouraged to appoint a DPO, but it is not obligatory. One such country is France, where organisations that do not have a DPO have to register directly with the French data protection authority (CNIL) to process data. But by hiring a DPO, French firms can avoid a lot of CNIL-related paperwork.
“They still have to get approvals, but they would be exempt from registering, so it is an incentive for many companies to a hire a DPO to avoid the formalities associated with filing all of these registrations,” said Karin Retzer, partner and data protection specialist at law firm Morrison & Foerster.
In the UK, companies who have a DPO still have to register with the Information Commissioner’s Office (ICO).
The data protection authority said that it doesn’t have any specific views about the appointment of DPOs.
“Our main concern is that [organisations] comply with the Data Protection Act (and the Freedom of Information Act if they are a public authority) – how they choose to do this is up to them,” it said in a statement.Where does the buck stop?So how much accountability should the data protection officer have?
In Germany, the data protection role is more like an “internal watchdog” than an advisory position.
The person tasked with being the watchdog has to monitor projects to ensure compliance with privacy regulations – but it’s a role that could land them in hot water.
“In Germany, it is mandatory for companies to appoint a DPO. In a case where the compliance officer failed to prevent a breach that they could reasonably have been expected to, then that compliance officer would be held criminally liable. But it has not been tested, and I’m not aware of any criminal case brought against anyone for this,” said Retzer.