Guide to Privacy Law Compliance
This article is reprinted with permission from the Jan. 18, 2013 edition of The Recorder.
by Lothar Determann, Adjunct Professor
When you set out to design and implement a data privacy compliance program for a company or other organization, you face a number of threshold decisions and preparatory tasks, including putting a person or team in charge of data privacy law compliance.
Someone needs to be in charge. If your business is a one-person sole proprietorship, then you are in charge. In larger organizations, however, there are typically a number of individual candidates or departments that could take charge of data privacy compliance, including lawyers, information technology staff, human resources and internal audit personnel. Each of these groups tends to have a different approach, strengths and limitations. Here are some factors to consider as you look for the right person or team:
In most larger businesses, the person in charge of data privacy compliance usually comes from any of the above departments or areas of specialization. Larger companies with a great exposure or interest relating to privacy laws may decide to create a new department or office. Smaller companies may find it sufficient to put someone in charge on a part-time basis. If a company has a legal department, attorneys are usually involved in data privacy compliance. Often, legal counsel take the lead regarding data privacy compliance. But, the ideal candidate for project management does not necessarily have to be a lawyer, particularly if a company views data privacy more as a business opportunity.
Whoever takes charge within a company will have to answer the big "Why" question to obtain sufficient resources and support from stakeholders: Why is a data privacy and security program important? For some companies, compliance is a matter of risk management and avoidance of sanctions and liability. Others care additionally about potential reputational risks and opportunities and view privacy compliance as a differentiator. Also, for some companies, data privacy and security compliance is a key condition to selling products and services, for example with data storage or software-as-a-service providers. When you start out implementing a compliance program in a company, it can be very helpful to prepare a brief whitepaper in FAQ format to raise awareness and gain support among key stakeholders within the organization.
Persons who take charge of designing and implementing data privacy compliance programs sometimes hold the title "data protection officer" or "chief privacy officer." The roles associated with these and similar titles can actually be quite different in nature and you should consider carefully whether your company needs one or the other, or both.
One key reason why multinational businesses have a data protection officer is because they have a presence in Germany. Most multinational businesses consider Germany an important market. Under German data protection law, companies are legally required to formally appoint a data protection officer with a watchdog role to supplement supervision by governmental data protection authorities.
Germany was the first country to introduce the concept of a data protection officer in an attempt to force self-regulation via a company-appointed guardian of privacy interests. Other jurisdictions with early data protection laws, including France, opted for government notification and approval requirements instead. A middle-ground approach was adopted by the Netherlands, Norway, Sweden and Switzerland, for example. These countries give companies the option to appoint a data protection officer in lieu of submitting more substantive filings to data protection authorities. Some companies model their compliance approach for all jurisdictions where they decide to appoint a local data protection officer after the German rules. This usually ensures compliance with local rules (as the German requirements tend to be the strictest and most comprehensive), but this is not legally required. Many companies also voluntarily appoint data protection officers or privacy compliance liaisons for countries where this is neither required nor incentivized or even contemplated. In addition, many larger U.S. companies have a chief privacy officer, often as well as compliance officers, internal auditors, specialized legal counsel for data privacy law compliance matters, information security officers and trained privacy professionals.
If you select and appoint a data protection officer in accordance with German law, you typically satisfy the requirements of other jurisdictions that define such a role by statute, for example, France, the Netherlands, Norway, Sweden and Switzerland, except that you may have to notify local authorities of the appointment. Companies do not tend to formally appoint data protection officers where local law does not offer any meaningful corresponding exemptions from other requirements. For example, French law provides for rights and duties of a data protection officer, but does not require or significantly reward the appointment. Thus, most companies opt against a formal appointment in France. But companies with a presence in the Netherlands, Norway, Sweden, Switzerland or other jurisdictions that reward the appointment by dispensing with other filing requirements tend to opt for the appointment of a data protection officer. Some companies appoint the same person for several or all jurisdictions where a formal appointment is required. This is particularly efficient for companies that use global systems and procedures, which can be monitored best by one person.
Separate and apart from satisfying formal statutory requirements to appoint a data protection officer, larger organizations especially see operational advantages in establishing a network of local liaisons for data privacy compliance and other compliance efforts in order to have specialized local contacts who can help implement and monitor these legal programs. Also, many companies voluntarily appoint a "global privacy officer" or "chief privacy officer" to demonstrate internally and externally that the company takes data privacy compliance seriously. It may also be beneficial to have one point person who takes ownership and responsibility for this topic — which affects many other functions, including IT, HR, physical security, law, finance and sales and operations.
For such informal and voluntary appointments and for jurisdictions where the role of data protection officer is not defined by statute (for example, the United States), it is important that the company defines the authority and duties of the privacy officer in a detailed written memo or agreement. In particular, companies need to define expectations as to whether the privacy officer shall advocate primarily for privacy or company interests; provide advice or make decisions; react or be proactive? Similarly, shall the privacy officer coordinate, support, supervise or monitor colleagues in roles with overlapping responsibilities (such as compliance officers, internal auditors, privacy counsel in the legal department and information technology and security staff in the IT, marketing and HR departments)?
Companies have to decide and document what the objectives and expectations are: Should the CPO be a coordinator, advocate, adviser and/or guardian of privacy or the company's interests in data and compliance? Each company should find its own way in this respect, and each company should define responsibilities and tasks clearly in writing, so that the appointed individual clearly understands rights, obligations and expectations. If roles are not clearly defined, a misalignment of expectations could easily result in uncomfortable conflicts. For example, if a global privacy officer at a U.S. company understands her role as independent and public policy-driven as a German data protection officer, she might be quick to notify U.S. authorities of concerns. Or, if a member of the legal department is appointed as "CPO" and shifts his approach from acting as legal counsel towards a more executive role, this could undermine attorney-client privilege in certain situations. Companies should consider these and other pros and cons before making voluntary appointments, and then describe the role in a detailed writing to increase the chances of achieving the desired benefits and to reduce the risk of unwanted consequences and conflicts.
Lothar Determann is an adjunct professor at UC Hastings and affiliated with the UC Hastings Privacy and Technology Project. He practices and teaches data protection and international technology law. He is a partner with Baker & McKenzie and a member of the global data privacy steering committee. Determann is admitted to practice in Germany and California and is the author of Determann's Field Guide to International Data Privacy Compliance (2012), on which this summary article is based.
In Practice articles inform readers on developments in substantive law, practice issues or law firm management. Contact Vitaly Gashpar with submissions or questions at firstname.lastname@example.org