Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

How data privacy is related to compliance

Compliance managers take care of risks such as corruption, violations of antitrust law, money laundering, and discrimination. Due to this wide scope, data privacy can sometimes end up quite low on the compliance department’s list of priorities. However, data privacy has a special role within compliance. It is a topic that occurs across many compliance matters, and is particularly important in whistleblowing systems. We look at how data privacy and compliance are related.

What you need to know, in a nutshell 

  • For companies, compliance means the implementation of certain standards to comply with (legal) requirements. Naturally, this also includes data privacy.  
  • Data privacy includes the implementation of data protection regulations (GDPR in particular) and therefore the protection of personal data. 
  • Data privacy occasionally requires the implementation of suitable governance structures and processes to comply with relevant regulations This is where a data protection officer may benefit from existing compliance management systems.
  • In turn, data privacy plays a major role in many other compliance topics, for example when implementing a whistleblowing system. At this point, the compliance manager would depend on the support of the data protection officer (DPO). 
  • Thus, the collaboration between DPOs and compliance officers is important as both pursue the same goals: to prevent fines and enhance the company image. 

In this article

Distinction between data privacy and compliance

Compliance describes adherence to any guidelines and laws within a company. This means compliance managers must ensure rule-compliant conduct in business divisions – from the recruitment processes in the human resources department and expenses claims submitted by sales staff through to compliance with the General Data Protection Regulation (GDPR) in all departments. 

Data privacy always refers to the protection of personal data. Since May 2018, the EU GDPR, the Data Protection Act 2018 and now, since Brexit the UK GDPR forms the legal basis for data privacy in the UK, making this a compliance matter. 

How companies benefit from professional compliance management  

Structured compliance management provides a competitive edge while ensuring adherence to laws and legislation. Public sector tenders are not offered until an organisation can demonstrate that a suitable management system is in place. 

How data privacy and compliance overlap 

Whilst data protection falls entirely within the scope of compliance, there are interesting overlaps with other compliance matters. For example:

Technical and organisational measures (TOMs) 

The introduction of TOMs is required at many points within a company – including information security (one of the compliance risk areas). Information security aims to protect company assets. In contrast to data privacy, information security is about protecting the company itself, rather than the people behind the data. Although there is no defined legal framework for implementing information security management, there are international standards and guidelines such as ISO 27001, which define certain requirements. One of these requirements is the implementation of suitable technical and organisational measures for the protection of information.

You already implemented the guidelines of the ISO 27001? That's great! We established an ISO 27001 Readiness assessment where you can test your performance. Otherwise, you can also check our ISO 27001 Implementation Roadmap that supports you to approach the certification. Just submit the form.

GDPR contains a similar requirement (Art. 32 GDPR), TOMs must be implemented and documented with a suitable level of protection, in order to protect personal data.

As a result, if a company has already arranged TOMs for the protection of personal data, these methods can be “recycled” for information security and vice versa. The best way to ensure this is to have compliance managers and data protection officers closely collaborate and exchange information with one another.

Introduction of a whistleblowing system  

The EU Whistleblowing Directive imposes an obligation on the companies based in Europe to implement a whistleblowing system by the end of 2021. However, even before this directive came into force, whistleblower systems had been key compliance pillars that ensured compliance risks and breaches were identified early through anonymous reports from so-called whistleblowers.

Anonymity can only be ensured if the whistleblower’s identity remains confidential. This is where data privacy comes into play. Regardless of how a company implements its whistleblowing system, the whistleblower’s personal data is particularly sensitive and therefore must be well protected. The compliance officer must work with the DPO to develop a workable concept together. This article shows what this could look like.

Who is responsible for maintaining compliance and data privacy?

Typically, compliance is the responsibility of a compliance team headed by a compliance officer who ensures adherence to all pertinent laws, guidelines, directives and voluntary commitments. Normally, the introduction of a compliance management system and suitable software tools (e.g., digital whistleblowing systems, policy manager etc.) will form part of this role. There are no legal requirements for the training of a compliance officer; most of them are graduate lawyers with an optional background in business and economics. In the organisational chart, the compliance officer is directly accountable to the company’s management.

In contrast, the DPO takes on the role of a consultant. They will analyse the current state of the company’s data security and suggests ways to improve it. The DPO focuses on implementing relevant data privacy laws. Although the DPO report to the ‘C’ suite, the role is well suited to be performed by an external body, comprising of independent experts in terms of data protection.Please read this article to find out more about the responsibilities of a DPO.

 

Compliance officer 

Data protection officer 

Tasks & responsibilities 

  • Compliance with all laws, guidelines, directives and voluntary commitments, including training courses and inspections 
  • Reduction of liability risks 
  • Introduction of a compliance management system 
  • Selecting of suitable methods and tools
  • Supervisory responsibility for the compliance team 
  • Cross-departmental communication 
  • Company’s data privacy review
  • Consulting the company’s management on compliance with data privacy laws 
  • Reducing the risk of data breaches/data privacy violations 
  • Staff training 
  • Preparation of relevant data privacy documentation 
  • Consulting the company and communicating with the authorities in the event of a data breach

Training 

  • Typically, graduate lawyers, often with advanced training/additional qualifications 
  • Rarely with a background in business and economics or risk management 
  • More often than not, legal experts, Data protection or IT specialists with the appropriate further training  

Who do they report to? 

Normally, they are directly accountable to the company’s management 

Pursuant to GDPR, the DPO is not obligated to follow instructions 

Is it legally required that he/she be appointed?

No, his/her tasks and responsibilities are not specifically prescribed by law and largely depend on the respective company and the rules to be adhered to.

Yes, for most companies; further details can be found here. GDPR describes the DPO’s tasks and responsibilities in detail.

Employment 

More often than not, an internal position, but now law firms are also offering an external service (e.g., for companies that are not yet sure whether they want to fill the position internally) 

Could be internal or external, depending on the company’s requirements (Further information regarding the comparison of internal and external DPOs is available here). An internal DPO is protected against dismissal. 

How compliance officers and data protection officers can work together 

The examples above of the whistleblower system and information security, highlight how data privacy affects nearly all company divisions and has a major impact on the compliance department structure. A conscientious compliance officer will closely collaborate with the DPO at all times. Such collaboration has many benefits:

  • The data privacy processes and methods that have already been implemented (key word: TOMs) can be adapted to other compliance matters (such as information security) 
  • The compliance management system set up by the compliance officer can help to develop or fully integrate a data privacy management system
  • Tough data privacy measures can protect whistleblowers – a legal requirement set out in the Whistleblowing Directive 
  • Training materials can be exchanged and supplemented, as necessary
  • Compliance with data protection laws is in the interests of both the compliance officer and the DPO – so collaboration here will go a long way 

Summary 

Data protection and compliance can be cleverly combined, by defining and using the similarities in the existing management systems. This will help create comprehensive, legally compliant processes that are evident to the general public. For companies, it will mean a long-term competitive edge, help gain trust from customers and interested parties, and last but not least help prevent fines due to data breaches and failure to adhere to regulations. 

Do you have unanswered questions about data privacy and what your business should be aware of? Don't hesitate to reach out to one of our experts for a free consultation.
Book an appointment

 

About the author

Patrick Agostini Patrick Agostini
Patrick Agostini

Als Projektmanager bei DataGuard steht der gebürtige Südtiroler Patrick Agostini einer Vielzahl von Vereinen sowie KMUs aus Branchen wie Financial Services, PR und Marketing täglich beratend zur Seite. Die rasante Digitalisierung, die Relevanz von „Big Data“ und das damit verbundene Recht auf Datenschutz interessieren Patrick schon seit langem. Vor seinem Masterstudium (LL.M.) in Tilburg studierte er italienisches Recht an den Universitäten Innsbruck und Mailand und ist so bestens mit Theorie und Praxis des Datenschutzrechts in Italien vertraut – dem Land, das er übrigens bereits einmal bei der Rafting-Weltmeisterschaft vertrat.

Explore more articles