View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
March 29, 2012updated 22 Aug 2016 12:54pm

Snooping DPOs the biggest concern in new EU Data Privacy Laws

The new EU Data Privacy Framework includes mandatory provisions for the introduction of Data Protection Officers inside every company with employees over 250 people. How will this work in the UK?

By Allan Swann

As CBR reported back in January (click here), the new EU data privacy framework has some very progressive requirements for businesses – as well as potentially some onerous burdens.

There remain concerns that the new legal framework has been constructed too broadly with high concept end results and politics in mind, rather than focusing on the details and the processes businesses need to go through to be compliant.

One of the key focuses has been on the forced introduction of Data Protection Officers (DPO) for companies of 250 staff or more that handle sensitive data.

DPOs will have a company wide mandate to ensure that data risk is minimised – both to the company and its clients.

As the framework is currently constructed, DPOs will need to ensure they have no conflict of interest within their company, which means that board members and CEOs cannot hold multiple roles as may have happened in the past. DPOs will be considered ‘independent’, and will not be able to receive instructions from the executive or the board, while simultaneously reporting to them.

Internal DPOs will also receive special employment protection, which at this stage appears to mean they will only be able to be fired for ‘performance related issues’. They will also serve minimum terms of two years. The framework is unclear on how this conflicts with existing employment law and contracts, for issues such as harassment and gross misconduct.

Axel Freiherr von dem Bussche, an IT law specialist from law firm Taylor Wessing, believes that claims by the EU that this will result in ‘less bureaucracy’ is "just a lie".

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Von dem Bussche was addressing Taylor Wessing’s seminar on the new European Data protection framework, and compared the proposed EU laws to the DPO system already in existence in Germany.

There DPOs are required to monitor the application of data protection regulations within their company, they act as a contact point for the government’s supervisor authorities and also give information and advice to the data controller.

As an example, he said that Deutsche Telekom’s DPO now has some 40 advisors, and that the EU’s DPO proposals will create "more bureaucracy within companies" over here too.

He responded to claims by the EU that the planned introduction of mandatory DPOs will ‘possibly reduce costs’ with a simple ‘possibly not’.

"While DPOs may initially ‘clean up’ companies, DPOs also have the habit of finding work for themselves," he said.

Its not all bad though, Von dem Bussche also believes that Data Protection Officers, being such a specialised position can evolve to provide a good advisory role for when companies are rolling out new technologies, such as BYOD (Bring Your Own Device) initiatives and expansion into social media – both areas when data sensitivity are often given cavalier treatment by companies unaware of the risks.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.