What is a EU Data Protection Officer?
Data protection officers are a designated person within an organization that collects the personal data of Union citizens who is responsible for making sure that the organization follows the new regulations. They are appointed for two year periods and can only be terminated if they fail to fulfill their duty; however, they can be reappointed indefinitely. Like the rest of this legislation, the DPO would be mandated sometime in 2016 pending the finalization of the reforms in 2014.
While all people who collect personal data in the Union will be accountable to the law, Article 35 of the proposal says that only certain data collecting entities must have a designated data protection officer. These entities are “a public authority or body”, “an enterprise employing 250 or more persons”, or someone whose “core activities… require regular and systematic monitoring of data subjects.”*
The DPO has several duties that are spelt out in Article 37 of the proposal. First, they must “inform and advise the controller or the processor of their obligations… and to document this activity and the responses received.”* Next, they are to monitor the “implementation and application”* of the organization’s policies and training on data management as well as monitoring the application of these polices. They must also keep documentation on (according to Article 28) at least the name of the data collecting entity, contact details of their DPO, purpose of the data processing, types of subjects and data, “recipients of the personal data“, whether or not data is transferred outside the EU, and offering the time limits for data erasure. Likewise, they must monitor personal data breaches and “the response to requests from the supervisory authority”*. And they have a variety of roles to the supervisory authority including cooperating with the supervisory authority if requested and to be the supervisory authority’s contact person in the organization.
The Data Protection Officer is one of the areas of the EU data protection reforms that’s being heavily debated, however. The major areas of contention are on the importance of the DPO, how much work this actually is, and the criteria for deciding who does and does not need a DPO.
The general assumption is that the legislation means that the data protection officer is someone’s full-time position. But some of the MEPs working on the reform suggest that a full-time DPO is unnecessary because they could do the work part-time while performing other duties. And there are some who think that the DPO is superfluous.
The Union originally adopted the German model wherein any company with over 250 employees would have to appoint a data protection officer. This requirement, Vivian Reding argues**, will help small businesses to avoid getting overly burdened by administrative costs and work. However, Jan Phillip Albrecht–the regulation’s rapporteur–has suggested revisions that alter this model to focus not on employees, but on how many people’s data is collected. His model states that any company collecting data on 500 or more EU citizens must have a DPO.