As CBR reported back in January (click here), the new EU data privacy framework has some very progressive requirements for businesses – as well as potentially some onerous burdens.
There remain concerns that the new legal framework has been constructed too broadly with high concept end results and politics in mind, rather than focusing on the details and the processes businesses need to go through to be compliant.
One of the key focuses has been on the forced introduction of Data Protection Officers (DPO) for companies of 250 staff or more that handle sensitive data.
DPOs will have a company wide mandate to ensure that data risk is minimised – both to the company and its clients.
As the framework is currently constructed, DPOs will need to ensure they have no conflict of interest within their company, which means that board members and CEOs cannot hold multiple roles as may have happened in the past. DPOs will be considered ‘independent’, and will not be able to receive instructions from the executive or the board, while simultaneously reporting to them.
Internal DPOs will also receive special employment protection, which at this stage appears to mean they will only be able to be fired for ‘performance related issues’. They will also serve minimum terms of two years. The framework is unclear on how this conflicts with existing employment law and contracts, for issues such as harassment and gross misconduct.
Axel Freiherr von dem Bussche, an IT law specialist from law firm Taylor Wessing, believes that claims by the EU that this will result in ‘less bureaucracy’ is "just a lie".
Von dem Bussche was addressing Taylor Wessing’s seminar on the new European Data protection framework, and compared the proposed EU laws to the DPO system already in existence in Germany.
There DPOs are required to monitor the application of data protection regulations within their company, they act as a contact point for the government’s supervisor authorities and also give information and advice to the data controller.
As an example, he said that Deutsche Telekom’s DPO now has some 40 advisors, and that the EU’s DPO proposals will create "more bureaucracy within companies" over here too.
He responded to claims by the EU that the planned introduction of mandatory DPOs will ‘possibly reduce costs’ with a simple ‘possibly not’.
"While DPOs may initially ‘clean up’ companies, DPOs also have the habit of finding work for themselves," he said.
Its not all bad though, Von dem Bussche also believes that Data Protection Officers, being such a specialised position can evolve to provide a good advisory role for when companies are rolling out new technologies, such as BYOD (Bring Your Own Device) initiatives and expansion into social media – both areas when data sensitivity are often given cavalier treatment by companies unaware of the risks.
