One of the new laws would require all private sector companies with more than 250 employees, all private sector companies whose core activities involve regular monitoring of individuals and all public authorities to formally appoint a data protection officer (DPO).
The Data Protection Officer Role
"The data protection officer must be empowered by the organization to act as an independent assessor of its compliance with data protection laws and report to the board of directors in doing so," say Ulrich BÃƒÂ¤umer and Stephanie Ostermann of the International Law Office, an online legal update service for companies and law firms worldwide.
"The E.U. regulation specifically requires the data protection officer to coordinate data protection by design and privacy impact assessment initiatives and to be responsible for data security initiatives generally, say BÃƒÂ¤umer and Ostermann. Responsibility for training staff is also mentioned as important. In short, the data protection officer must ensure that his or her organization has adopted good data governance policies and procedures."
The new legislation would require organizations to demonstrate that they have undertaken regular data protection audits and privacy impact assessments using recognized industry standards, including demonstrating that privacy compliance and risk mitigation steps have been implemented before putting in place new processing systems and activities.
Implications of a Data Protection Officer Staff
With such a broad mandate, and severe penalties for noncompliance, Clawson warns that organizations should be prepared not only to hire a DPO, but a staff to help the DPO carry out his or her duties.
"The implication is there's a staff behind this person," he says. "Right now it looks like they're going to impose a whole bunch of controls that are apparently going to be legislated with a whole bunch of penalties. There's going to be some layer of staff that goes with that on top of the technology purchases and the documentation required."
Data Protection Steps to Take Now
The new data protection laws have yet to take final shape, and most sources agree they won't be implemented any sooner than 2014. But Clawson says that shouldn't stop organizations from beginning their planning now. He suggests two steps organizations that do business in the E.U. can take right now to prepare.