a chief privacy officer (CPO)

2 comments 7.198 views

Synopsis:
Clients can outsource the privacy officer function to CyTRAP Labs, ensuring that all the necessary policies, functions and procedures are dealt with in an appropriate, effective and cost efficient manner.
When acting in this capacity, CyTRAP Labs confirms any course of action that it will take regarding technology, security procedures, baseline measures and metrics with a client beforehand.
The person should have the necessary skills about the topic, including in depth understanding of information technology and processes, as well as privacy and data protection regulation and, finally, bring an understanding of organizational processes.  The privacy does not have to be an employee. Best practice suggests that it is not a member of management who runs the privacy function since possible conflicts of interest could materialize.

In German: Er oder Sie muss die “erforderliche Sachkunde” besitzen, das heißt vertiefte Kenntnisse der Informationstechnik, der (Datenschutz-) Gesetze und Einblick in die betriebliche Organisation. Der Datenschutzbeauftragte muss kein Mitarbeiter sein. Die „erforderliche Zuverlässigkeit“ ist jedoch bei leitenden Beschäftigten laut herrschender Meinung nicht gegeben, da eine Interessenkollision zwischen den Interessen des Unternehmens und des Datenschutzes eintreten könnte.

The board—under for instance Sarbanes-Oxley, SEC regulations, and the Realignment of the Swiss OR – Art 727 OR: (Art 728a Para 1 Nr. 3 OR) —is responsible for evaluating the effectiveness of privacy programs throughout the enterprise and must assess the risks related to these. Board members and/or the CEO can be subject to prosecution for privacy violations (e.g., Germany).

General purpose

The privacy officer oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to the organization’s policies and procedures covering the privacy of, and access to, personal data (i.e. defined as data that allows one to identify the person with such as birth date, name and old age pension number) in compliance with federal and state laws and the organization’s information privacy practices.

Role of the privacy officer

The first step for an organization when undertaking privacy compliance measures should generally be to allocate a privacy officer. The role of a privacy officer should be to ensure that an organization complies with its privacy obligations and to act as a point of contact, internally and externally, for all issues relating to privacy.

An important part of a privacy officer’s role is to communicate with other organizations, entities and persons in order to keep up to date with changing privacy requirements and to ensure that third parties (such as agents, contractors, suppliers and subsidiaries) comply with their contractual privacy obligations.

Running the privacy function

Important is to understand that these tasks and jobs must be done regardless whether the position is being kept in-house or is being outsourced (see more in running a successful privacy function.

For more information, contact us directly