Most read articles
|1||Take on Uncertainty with Design Thinking|
|2||Generations X, Y, Z … and what next? With a little anecdote from the legal market.|
|3||How to: Generation Z for Leaders|
The GDPR requires many companies to appoint a data protection officer (DPO). In the new data governance system, the DPO will be an important actor and determine the criteria for his or her appointment, position and functions. Do companies need a DPO? If they do, what steps are required for his or her appointment, position and functions?
On 24 January 2018, Isabelle Falque-Pierrotin, Data Protection Commissioner of the French Republic and Chair of CNIL (the French Data Protection Authority), reported that the number of data protection officers fell far short of requirements in France: “80,000 companies and public institutions have to appoint a DPO, today there are only 18,000.”
In 2018, the International Association of Privacy Professionals estimated that at least 75,000 DPO jobs would be created in response to the GDPR as soon as the latter was in force. The list below states the DPO requirements for each of the ten most important trading partners:
|1. US: 9,000
2. China: 7,568
3. Switzerland: 3,682
4. Russia: 3,068
5. Turkey: 2,045
|6. Norway: 1,790
7. Japan: 1,688
8. South Korea: 1,330
9. India: 1,125
10. Brazil: 972
Switzerland is already familiar with the concept of DPOs, and several companies have already developed a DPO position. Nonetheless, this role is new for many companies and therefore requires human resources with the relevant qualifications. Companies should therefore review their current situation as quickly as possible and examine whether they will have to appoint a DPO in the near future.
When do you require a DPO as a Swiss company?
The Swiss data protection law currently in force does not stipulate an obligation to appoint a data protection officer. Staff who are responsible for data processing, however, can be exempted from the registration of their files if they have nominated a data protection officer. People who are responsible for data processing have to notify the Federal Data Protection and Information Commissioner of the appointment of a data protection officer and will then be included in the public list of the companies exempted from compulsory registration.
Since the GDPR is an EU regulation, it is easy to assume that Switzerland and Swiss companies are not affected and that therefore the GDPR is not relevant to companies which operate in Switzerland. However, this conclusion is erroneous.
Executive School Programmes:
Examples of situations in which a Swiss company could fall within the GDPR’s scope of application
Numerous Swiss companies which have no local presence or only subsidiary companies in the EU also fall within the scope of application of the EU’s GDPR legislation. The following are possible scenarios:
- A Swiss company conducts (part of) its manufacturing activities in an EU country.
- A Swiss company offers goods or services to EU persons through an online shop.
- An EU subsidiary of a Swiss company processes personal data of its EU employees.
- A Swiss company collects data about the (online) behaviour of EU persons for marketing purposes.
The GDPR presents new data protection provisions with a wider geographical range. But even if a Swiss company does not deal with EU data sets, compliance with data protection deserves consideration – all the more so because changes to Swiss data protection legislation are in the pipeline for the near future.
Who is the data protection officer?
A data protection officer (DPO) plays a leading role with regard to a company’s security. Data protection officers are responsible for the supervision of the data protection strategy and implementation in order to ensure compliance with statutory requirements.
- DPOs support the company in the supervision of internal compliance, provide information and advice about data protection obligations and work as a contact point for the people concerned and the supervisory authority.
- DPOs must be independent, be experts in data protection, dispose of sufficient resources and report to the top management level.
- A DPO can be an existing employee or an externally appointed employee. Whether on a compulsory or voluntary basis, DPOs are intended for all the processes which the supervisor or the processors conducts.
- In some cases, several companies can appoint one single DPO among them.
- DPOs can help the company to provide evidence of compliance with provisions and are part of a reinforced focus on accountability.
- DPOs work as mediators between relevant stakeholders such as supervisory authorities, affected persons and business units within a company.
Picture from istock