Recent EU regulation requires large corporations appoint a lawyer as an internal Data Protection Officer, presenting a rare opportunity for law firms
Highly prescriptive and currently the subject of proposed amendments, a new EU Regulation on data protection for 2014 is set to create a unique opportunity for law firms.
An important element of this single data privacy law is that public authorities and companies with over 250 people will be required to have a Data Protection Officer (DPO) – a new kind of lawyer with technical expertise who can oversee the way data is collected, stored and shared.
The Regulation also introduces principles on the key areas of accountability, the ‘right to be forgotten’, transparency and penalties.
“And it is hoped that the new regulation will be the key instrument in achieving complete EU harmonisation,” says Ruth Boardman, Co-Head of Bird & Bird’s International Data Protection practice.
The EU hopes that by making the concept of a DPO mandatory and not merely ‘good practice’, users will have more control over their data, say lawyers. And large corporations – regardless of their actual data processing capability and the high-risk processing they do – will be able to cut costs by only having to deal with a central supervisory authority. However, the DPO role requires acting independently of management in order to be an internal supervisor, while still remaining subject to companies’ corporate standards and procedures.
With so many internal and external demands on one role, for Alejandro Touriño, IT Partner at Ecija, outsourcing to a law firm as opposed to recruiting internally is an obvious choice for large corporations. In fact, many of their larger clients have already arranged that once the new regulation comes into force, the firm will take on the role of DPO for their company.
Law firms are a good fit for balancing the multi-faceted elements of the role, say lawyers, because they have both the legal and technical expertise required to take care of every aspect of what is a complex arena – from conducting data protection and security audits, proposing the necessary corrective measures, to ensuring that policies are complied with.
One of the main concerns lawyers have about the DPO role is how law firms can meet the demands of the digital age, namely carrying out the necessary data protection risk management and legal compliance around third party activity.
Touriño says law firms must focus on what they can control: “As technology is always changing, the role of DPO isn’t without its challenges as there are always risks of data breaches.
However, while we cannot be responsible for what every person in the business decides to do with data, we can adopt best practice at all times to fulfil our own responsibilities.”
Another issue is whether the ‘one-stop-shop’ approach will work in practice, given that once the regulation is passed by the European authorities, some of the new provisions might end up contradicting existing country regulations, an issue that lawyers say must be addressed.
Francis Aldhouse, a Consultant specialising in information law and policy at Bird & Bird also believes that there is a demand for matters to be left to national decision in some cases and suggests that the duties on data protection officers are too strict or absolute.
Taking such matters into consideration, it remains to be seen whether or not the role of the DPO should be diluted down to adopt a lighter approach, to take into account the different ways individual countries and the corporations within them operate. Or that the requirement for corporations to have a DPO should be determined by the actual volume and nature of the data concerned, and not the amount of employees. However, whatever the intricacies, Iberian law firms are more than equipped to play a significant role – they know all about adapting to change.