The EU and Data Protection changes – more red tape or a job creation scheme ?

New EU data protection rules being discussed by Europe’s justice and home affairs ministers on Friday 6 December included increased restrictions on international data transfer and companies are now required to have a Data Protection Officer (DPO) if they

  • process the personal data of more than 5,000 individuals
  • have more than 250 employees
  • are a private sector company whose core activities involve regular monitoring of individuals
  • and all public authorities

Thus organisations that operate in the European Union may soon be searching for candidates for a new role mandated by this law: the Data Protection Officer. As currently described by the proposed legislation, the DPO role would require a seasoned professional with credentials in the security trenches, reporting directly to the board of directors.

They would also be forced to conduct a data protection impact assessment every year and carry out a compliance review every two years.

At the moment there is no single ‘IT Security’ qualification, and there is no ‘licensing’ of IT Security staff. I say this is lucky, because with no licensing issues with regards to ‘IT Security’ around companies can cover themselves with a single DPO for the moment, but if every country brought in its own licensing then that could mean a lot of red tape and time and money….

To cover just countries in the EU, where there is meant to be some sort of harmony. That’s 27 member states (at the moment – and 3 more pending) and 24 official languages; as us Europeans know the seat of the EU is in Belgium which has French, Dutch and German as official languages and not English.

Without an international standard to which a person maybe licensed, if a person was licensed in the UK, any European role would mean they would have to be additionally licensed in every country. That could be a huge over head for some companies. Potentially, every country a company has business in could be forced to employ a DPO, or one very qualified DPO who would spend half the time keeping the security licenses required and be fluent in as many languages as required.

Certainly, for a lot of companies in the global market place these days, a central highly skilled IT team often runs operations remotely for many offices, thus avoiding duplication of the top-tier support staff. But these new laws could force the creation of a lot of new posts of DPO.

The Federation of Small Businesses estimated the cost of hiring a DPO at £64,000 per year in addition to the £11,200 per year for the data protection impact assessment.

Still it’s cheaper to hire a DPO than the fines that are being introduced – serious violations (like processing sensitive data without an individual’s consent) would allow supervisory authorities to impose penalties of up to $1 million or up to 2 percent of a company’s global annual turnover.