Regulatory approaches to protection of human rights in the digital society: Data Protection Officer within a company
The practice of introducing a Data Protection Officer is widely accepted in corporations around the world. The Data Protection Officer is authorized to manage and monitor databases, to register databases into Central Data File Register, to acquire permits for data transfers, to control the validity of consents for personal data processing, to supervise if the users are regularly informed of their personal data processing, making data transfer contracts and monitoring them, and to continuously improve, advance and suggest proposals for adopting appropriate security measures for data protection, as well as other tasks for privacy and personal data protection. New EU regulation on personal data protection, which is expected to be adopted in May 2014, sees as necessary for every corporation and institution which processes more than 5000 personal data to have a Commissioner for personal data protection.
The reason for introducing this function was the aim of SIMACEK company to be awarded the ISO 27001 certificate, which we have written about in the previous article, and which refers to Information Security. “Regulating this domain can lead to numerous advantages on the market and great costs as well. This certificate can somewhat be compared with the HCCAP system. Information has become significant in this sector as much as environmental protection. They are like radiation – due to a pile of information, it is only a matter of time when it will leak, and then we ask the question of responsibility. Having the position of Data Protection Officer, corporations can hand down the responsibility to the Data Protection Officer, since he is the one in charge for implementing the data protection law, and not just that law. Data protection is not just covered by the Law on Data Protection, but also by other laws from different sectors (telecommunication law, copyright, labour law, e-commerce, e-signature, competition law, media law, human rights etc.). This branch of law is a part of human rights law, but it requires a wide range of knowledge of law and regulations. This position can be introduced to public institutions as well”, says Mr. Diligenski.
There are numerous advantages for setting up this position. As it was said earlier, setting up this position is an important part of 27001 certification. As advantages other than the previous one, we should primarily mention that clients expect from corporations to work in a responsible way and to manage their data in accordance with the laws. That impacts on loyal competition, because data isn’t processed without user’s consent. Setting up this function decreases the responsibility of company management and contributes to corporate reputation (because the corporation which has organized internal regulations and organizational-technical measures can show it to the clients when needed). It also reduces the costs and the possible risks of information leakage (since in Austria there is an obligation of paying a fine for SPAM, which goes up to 58 000 euros) and it contributes to the transparency of the corporations’ business, as Mr. Diligenski explained.
When we talked about the problems he copes with, Mr. Diligenski said that he faces various challenges and that he constantly needs to balance, since this position is extremely sensitive and he hopes that it will be regulated by the law. “For only an independent and unbiased commissioner can carry out his job without any pressure, his work position in the company must be protected by the law for at least two or three years. In that way, corporate management won’t interfere with the commissioner’s activities”, he added.
As one of the problems he faced, he singled out one example: “Once I had a case in which a colleague of mine complained and asked for her picture to be removed from the company’s website. The mentioned colleague has participated in our organization’s manifestation and was photographed with other colleagues and the logo of our company. In this occasion, she must have been aware that these kind of manifestations can be used in marketing purposes. Therefore I had to deny her request. However, my colleague has left the company and the company’s interest wasn’t predominant any longer, and since she has filed a complaint, I ordered for removal of the photographs. It was clear that there was no connection between the company and my colleague, and the photographs were removed from the website.”
As a challenge, he also mentioned creating a webpage which provides an insight in commissioner’s activities and asking questions about personal data protection. According to Mr. Diligenski, it’s an opt-in solution where clients can decide whether they want to enter their data or not or whether they want to receive marketing materials (strictly with client’s consent) because it is the best possible solution, especially for marketing. In this way, the database of subscribed clients is significantly reduced, and so is the potential profit. Fortunately, the colleagues have realized the significance of this solution, although at first there were problems in explaining how the potential damage could be irreparable. “The fines are charged mostly in this area and since an e-mail is considered a digital signature, it is impossible to take further actions without the consent.”
Corporations lately intend to create internal regulations for data protection, and in SIMACEK group, as Mr. Diligenski said, there are contracts and directives on the company level. “For example, contracts about using data in marketing purposes, contracts about accountancy, billing, webpage usage etc. The directives are regulating the usage of electronic devices and there are instructions for using smartphones, etc.”
We wanted to know if analysis which shows the positive impact of this function on corporation’s business exist. As Mr. Diligenski said, this position doesn’t create direct profit, but it brings numerous advantages. The problem is that the consequences of not introducing this position to the corporation will appear much later, especially when the corporations has to pay certain fines. “The biggest damage for the corporations is the loss of big clients and the loss of reputation, since data protection is very important for marketing”, he says. Mr. Diligenski also states that in Austria, as well as in Serbia, Law on Personal Data Protection is a “dead law”, and in the future that has to change, because corporations will understand the importance of this position and its advantages.
On a global level, Facebook has given an opportunity to its users to ask question considering privacy on that social network to its Chief Privacy Officer of Policy. The privacy practices of this social networking company was not always in line with its proclaimed goals. In 2011, the company has been under the investigation by the Federal Trade Commision, suspected for deceiving users about its privacy policy. The case was closed when Facebook agreed to settle, committing to cease making false claims and to submit to independent audits for 20 years. The second big case was the case of an Austrian law student Max Schrems who, for an university research, requested from Facebook to deliver every data the corporation had about him, which they did and he received 1 222 pages of data they had about him. After that, Max started the “Europe vs Facebook” initiative, as an attempt to force Facebook to change its privacy policy in a way to protect users, in which he succeeded to some extent.
One of the bright examples of corporations operating on our market is Telenor, LLC, which established the position of data protection and privacy officer, i.e. the Local Privacy Officer (LPO), who is responsible for protecting and implementing Telenor’s privacy policy. SHARE Defense has spoken with Telenor Serbia LPO Mr. Milan Nikolic about the authority and methods of work in this position. As Mr. Nikolic said, “the role of the Local Privacy Officer (LPO) is predicted by the Privacy Policy of the Telenor Group.” The LPO is a single body chosen by Telenor’s local company Managing Director and is formally responsible to the company’s Managing Director. In the local Telenor branch, for the purposes of efficient functional integration, the corporate security director is also the LPO who is:
-
responsible for monitoring if the personal data processing within Telenor Serbia is in accordance with domestic and international data protection regulations and the Telenor Group Privacy Policy;
-
involved in projecting new products and services from an early stage to make sure that everything is in accordance with the Telenor Group Privacy Policy principles and every internal organizational unit is obliged to inform the LPO about the development in this area;
-
has the authorization to inspect every processing including personal data usage, as well as the right to report the cases of incompatibilities to the Managing Director;
-
has the obligation to help in training employees and raising awareness in this area.
When asked on what basis is the users’ personal data available to Serbian public authorities, Mr. Nikolic answered that the data is given to them in accordance with Law on Personal Data Protection, Criminal Procedure Code, Law on Electronic Communications and single orders from courts and prosecutors.
Data Protection Officer should provide that companies conduct business in a responsible way and prevent irreparable damages as a result of data handling in a manner that is not in accordance with the law. More about that will be presented in the next article, including how corporations can regain their users’ trust, enable them understand the importance and price of their data, as well as about case law in this area.