Greetings from Rome!
Five business days remain before the EU General Data Protection Regulation “goes live,” and the world is looking at Europe to see how the switch off from existing privacy EU laws to the new one will be handled by national regulators and by the European Data Protection Board. In this respect, European Data Protection Supervisor Giovanni Buttarelli in a recent speech at a conference in Berlin has clearly indicated priorities for EU regulators.
Honestly speaking, in Europe, we are used to seeing local legislators implementing EU laws in accordance with their case law jurisdictions, other existing laws, local sentiment in a given historic period, and so on. The scope of a regulation, including the GDPR, is to limit this approach, to ensure a uniform framework to the digital single market first and to the freedom and protection of personal data flows. At the same time, no one should believe that after 25 May, the GDPR will be the only applicable law to the complex world of personal data processing across Europe. Peculiarities coming from local countries will be there for years, at least until the EU becomes a real union of states, with a unique jurisdiction, a unique language (maybe Latin or Italian, now that U.K. is “Brexiting”…) and nationalism will be abandoned. Is that too utopian?
While the springtime is late here in Italy, the country is struggling between political issues actually slowing down the establishment of a new government after the general elections of March. This is also why the adoption of the Italian harmonization law, initially passed in draft by the government in March, is still working toward approval.
The latest version of this draft introduces a number of strict requirements, for example, those in case of the particular data processing (i.e., sensitive data), including the authorization of the Garante, as well as the provision of criminal penalties for unlawful data processing, in addition the unauthorized collection and diffusion of data on the web, under certain circumstances.
Besides that, there is the data protection officer. Specific guidance provided by the Article 29 Working Party, as well as by the Garante and other DPAs, has added some tips to get clarity on that field.
In recent months, in this corner of old Europe, the debate on DPO has been going on among privacy experts; the vexata quaestio consists in interpreting the GDPR on whether the DPO should be internal or external to the company. Personally, I believe there is no a “black and white” answer, as the DPO shall be appointed according to the specifics needs of the companies — this is one of the accountability principles!
For months, I preferred and suggested the internal option as the first choice to my clients, in order to allocate this pivotal function to someone who already ensures a comprehensive and detailed understanding of the processing operations carried out. But the market for in-house privacy professionals is still young here, and there is a real scarcity of sound resources. Furthermore, it seems crystal clear that only well-structured companies and major players can invest the necessary time and capital to organize an internal department lead by the DPO. The others shall maybe rely on external professional figures.
When I realized that, I began to lean toward the external DPO, also due to the fact that it is generally more compliant with the independence requirement. And I have also started to accept an appointment as external DPO for some of my clients, as well; this is something that I have excluded a priori for a while, but it is also a proof of evidence of how this phenomenon is really ongoing and able to change our mind at the same time.
All companies should take this chance to foster an authentic privacy culture. Last days to make a choice? Not really. Corporate governance is a complex art that needs improvements, day-by-day commitment, and flexibility to change outputs based on the input received.
The DPO is a key player for the GDPR implementation success. Let’s work together to increase awareness and to boost quality and visibility of the privacy profession inside and outside the companies. And good luck!
If you want to comment on this post, you need to login.