If one looks at the practice of medium-sized companies, one often gets the impression that the data protection officer is seen more as an annoying appendage. Data protection and data security are cost factors. In this article, we look at the legal basis for appointing a data protection officer and the opportunities for generating benefits from an obligation.
The legal basis for the appointment of a company data protection officer (DPO) can be found in the GDPR and the Federal Data Protection Act (new version), valid since May 2018. A company DPO must be appointed in the company if
- 20 or more employees are involved in the processing of personal data, or
- there is an obligation to conduct a data protection impact assessment pursuant to Art. 35 of the GDPR, or
- the core activity consists of the extensive processing of particularly sensitive data pursuant to Art. 9 or 10 GDPR, or
- the core activity consists of the monitoring and profiling of data subjects.
Regardless of the obligation to appoint a DPO, companies must guarantee compliance with data protection law principles, including the unloved mandatory documentation.
Three cardinal mistakes
of management in the appointment and practical work of the company DPO.
Cardinal error No. 1: The managing director or senior executive as DPO.
The DPO’s tasks and duties are incompatible with the tasks and duties of the managing director or senior manager with decision-making authority regarding the processing of personal data. If years after the entry into force of the GDPR, such constructions can still be found in data protection declarations, then the responsible parties are unintentionally revealing a profound ignorance of applicable law.
Cardinal error No. 2: Underestimating the qualification requirements for the DPO
The DPO’s minimum tasks and duties can only be fulfilled if he or she is granted the resources for ongoing training in both legal and technical/organizational matters. A data protection officer must provide the guarantee of being able to take appropriate account of both current case law and new trends in technical development in the company at all times. The “lone warrior” in the company is quickly overwhelmed here; teamwork helps.
Cardinal error No. 3: Data protection in practice starts at the top
Data privacy and data security are primarily the responsibility of the company’s management. If managing directors or board members repeatedly let employees know how annoying and inconvenient it is to comply with legal obligations, why should employees be conscientious and careful in handling the data entrusted to them? Management would be well advised to take a self-critical look at its own attitude to the issues of data protection and data security.
Data protection is a matter of trust
Even if it may not seem like it in these times of social media, customer relationships are based on trust. Anyone who has the impression that their data is (or can be) misused for purposes other than those intended and desired will, in case of doubt, refuse or boycott disclosure or switch straight to a competitor. The wave of user migration away from WhatsApp and toward Signal and Threema after the latest publications about the planned changes to the terms and conditions is just one example of this trend.
Data privacy and data security are like oscillating tubes
Privacy and data security assurance goals
The performance objectives of data privacy and data security are like oscillating tubes; serious deficiencies on one side cause deficiencies on the other. Conversely, technical and organizational data security measures automatically strengthen data privacy in the vast majority of cases. Security is the result of the interplay of the objectives of data protection.
Investments in data security and data protection
initially incur costs. As with all preventive measures, it usually takes a while before the costs of not doing so become apparent. High fines and exorbitant data breaches will continue to find their way into the public eye. Costs can be discussed, security should not be negotiable.
If you have any questions or critical comments, please do not hesitate to contact us.