The key to improving corporate data protection may be appointing an in-house data protection officer to take responsibility for all the personal data collected and processed by the organization, according to some European data protection experts.
Companies “actually need to have someone who is a ‘data champion’ within the organization, someone who will take responsibility for these issues,” says Bridget Treacy, partner at the international law firm Hunton & Williams. “And the organization needs to regard them as being significant and serious and worthy of attention,” she says.
Peter Gola, president of the German Association for Data Protection and Data Security, told regulators and stakeholders at a European Commission conference convened in Brussels that the data protection officer should be a known and recognizable member of a company’s staff.
Chief privacy officers or chief information officers appear to have greater visibility and status within U.S. companies than many European data protection officers have in their respective organizations, Treacy says.
A recent survey commissioned by Ounce Labs, Inc., and conducted by the Ponemon Institute surveyed CEOs and other senior executives of companies operating internationally, and 79 percent reported that one person is responsible for the overall data protection effort within the enterprise. Who that person was varied. Only 53 percent of respondents said the chief information officer was the person accountable for data protection.
In some European countries, such as Germany, the appointment of a data protection officer is mandatory for most organizations. However, German data protection officers can be internal or external. But even in countries where the appointment of a data protection officer is optional, having such a position can mean that a company is exempted from some legal obligations, such as notification of data processing to the regulator.
In France, the appointment of data protection officers is strongly recommended by data authorities but there is currently no legal obligation for a corporation to designate such a position. The French government is considering a law that would require organizations with more than 50 employees to appoint a data protection officer, but there’s no indication that this legal change in France is imminent, Treacy says.
In Germany, however, lawmakers recently amended the country’s Federal Data Protection Act to strengthen the position of internal data protection officers. The action was prompted by corporate scandals in which companies are alleged to have improperly obtained personal data about customers, journalists, and their own board members.
The revised German law, which took effect September 1, prohibits companies from terminating the employment of an internal data protection officer without good reason. In Germany data protection officers can occupy the position in a part-time capacity, while holding another job in the company. Under the new amendment, these data protection officers cannot be terminated from their other job for a year after their term ends.
“The data protection officer ought to have confidence to be difficult, to ask difficult questions, and not be afraid of losing his job,” Gola said. The law also requires companies to pay for continuing education and training courses for data protection officers.
Speaking at the conference, Christopher Kuner, a Brussels-based lawyer with Hunton & Williams and chairman of the European Privacy Officers Forum, called the role of data protection officers a “major achievement” of the EU’s data protection law but said more reforms are needed.
The idea is to have data protection embedded in an organization, to have it be part of its DNA, and the goal of the data protection officer is to make that happen, he said, “but the role of the data protection officer in Europe needs to be developed further to make sure that we fulfill the potential.”
Both Kuner and Gola said data protection officers should be fully integrated into all corporate procedures and involved from the outset in strategic business decisions. “Data protection officers shouldn’t just limit their work to checking that the processing of data is done in compliance with the law,” Kuner said. And they should not only “be called in once a problem has cropped up.”
Kuner also said data protection officers should report directly to the board of directors. The current legal situation in Germany, Gola said, means that even if a company excludes the data protection officer from decisions, as he noted has happened with the recent German scandals, there are no legal consequences.
“You are not fined, you are not considered to be acting outside the law,” he said. Companies can only currently be fined for failure to employ a data protection officer, Gola said. “This needs to be changed.” This problem was not addressed in the amendments to the law.
Another challenge to strengthening the role of data protection officers is that there is not a standard set of qualifications for data protection officers in companies in EU countries. The existing qualifications, according to Kuner, are based on national laws and practice, but the realities of the job have become more international. “A data protection officer should have knowledge of other legal systems in place in other member states,” he said, “and should, at the same time, be able to grapple with the international dimension which data protection issues have.”