Is the DPO role requirement downgrade, out of the recent EP position and Council General Approach (15/06/2015), a real understatement or a need for an intermediate shorter but common step ahead for all Member States?
The Data Protection matter seems affected by annoyance and embarrassment both on the side of single individuals, which should feel themselves safeguarded, and on the side of companies which are required to apply and to assure it.
Are we talking about a range of abstract prescriptions hardly or only formally understood or about a set of statements requiring attention in the definition of an organizational and governance structure based on rules, measures, checks and countermeasures companies prefer not to invest on ? For sure companies directly or indirectly managing personal data are required to step ahead in order to increase the perception of the thefts to which the digital evolution is exposing data. And the regulators are for sure playing the role of addressing incremental attention to the matter often rising an appropriate requirement even though sometimes downgraded if too proactive or foreward-looking. This is well described by the heavier and heavier efforts and budgets companies declare to be claimed to spend to accomplish upon while, in the reality, this state the higher and higher distance between how activities are performed and how are expected for being performed.
Since companies are exposed to risks, measures and responsibilities taken or only partially taken, DPO was expected to play an intermediary role among different company’s Functions in case either technical, or organizational or operative deficiency could raise. Some times the Legal, others the Compliance, others the HR others the IT departments are asked to take a decision based upon their own approach. The necessity to focusing on a single new role, directly linked to Top Management, would have finally suggest a more appropriate internal authority more or less similar to what has been achieved in terms of physical protection and safety for employees.
According to my personal opinion companies in general should have a more structured organizational and governance approach to Personal Data Protection compared to what so far done helping all levels, from the operations to the management, to understand that personal data abuses, misuses, removal, destruction or leakage could cause costs much higher than what would be needed for preventing those events.
The only reason I see for such a prescriptive discount “may” granted instead of the previous “shall” could be found in the following statement “where required by Union or Member State law, shall …” which opens the requirement to the current different degrees of rigidity in the countries’ law or to the results of different risk assessments, often assumed as appropriate until different advice or until fault. It would mean that Member States are asked to legitimately prescribe a heavier organizational measure in case they consider it more appropriate. This is what could reasonably occur in more aware countries like ours.
It is likely to make a small difference the consideration that, according to the EDPS (European Data Protection Supervisor) opinion, authoritatively represented by the Italian Giovanni Buttarelli, the suggested recommendation withstands in the former shape. This simply help understanding what the best practice would be.
One of the goals of the Regulation was to have the same rules throughout EU. That’s why I don’t expect that local Data Protection Authorities will play a role in making the law tougher in their countries. It would be a step back to a country by country Data protection.
Probably, the statement mentioned refers to existing national laws that already require the DPO.
The decision taken means that the Council considers too expensive and too heavy a mandatory DPO (but also other aspects) for all the enterprises and too difficult to decide upfront who shoud be obliged and who should not.
It can be easier to decide more binding rules by industry, with industry-specific regulations: as it was done in the past, for istance, with Telcos and can be done in the future.