Three years after the GDPR, DPOs now have to convince businesses of their usefulness
Almost three years after the operation of the GDPR, now the challenge of the data protection officers is to convince companies of the true usefulness of this figure. This is because the DPO is an “artificial figure”, that is, created “ex lege” rather than by the market, and the precedents in the history of law teach that the risk is that the results are modest, or even disappointing.
The debate of the meeting developed around this concept “The Data Protection Officer between rules and practices”Organized by Federprivacy which was attended by over 400 professionals from multinationals and other large Italian companies.
Although there is no doubt that the inclusion of the data protection officer in the European data protection law was at least an appropriate choice, “the real challenge lies in verifying whether this figure, in practice, will be able to make a difference and guarantee a qualitative increase in the level of concrete application of the rules and respect for the rights of the interested parties or, if on the contrary, it will prove to be just yet another formal fulfillment devoid of any concrete benefit for society “.
This was said by Guido Scorza, member of the Guarantor for the protection of personal data, who spoke at the event, together with Nicola Bernardi, president of Federprivacy, and Rocco Panetta (in the photo), Country Leader of IAPP for Italy, who observed :
“Whether the DPO is the right option, only time will tell. But it is certainly a great opportunity that the GDPR has offered to companies and citizens. Let’s strengthen it with injections of independence, authority and competence, be it external or internal to the company and maybe we will be able to better protect personal data and enhance them “.
During the meeting, Federprivacy also carried out some polls in real time through their own Telegram channel, from which it emerged that 27% of professionals in the sector agree that the introduction of the DPO was an appropriate choice of the legislator, while 41% of them even consider it necessary. Furthermore, 54% of insiders believe that the data protection officer has proved to be a useful figure for companies, even if to avoid risks of conflicts of interest and jeopardize their independence, 69% of insiders think it would be better entrust the task to an external professional, and 73% of them would like the introduction of specific reference rates for the professional category of data protection officers.
During the course of the work, the issue of skills was also addressed, and with regard to professional certifications in the privacy field, Bernardi specified that “to be a DPO there are no qualifying qualifications, but it is necessary to have specialized knowledge of the legislation and practices on the protection of personal data. However, what a certification gives is an added value with which a third party and independent body issues the professional with a formal certification on the actual possession of the skills required by the Gdpr “.
In this regard, another of the surveys proposed to the participants showed that professional certifications, of a voluntary nature for those who have to fill the role of DPO, are considered a “must-have” by 29% of professionals, while almost half (47 %) of respondents consider it as an optional credential of relative importance.