Section 4, article 37, 1(b) of the General Data (sic) Protection Regulation ‘of 2018’ (sic): When the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;, the instantiation of a Functionary for Data Protection is mandatory.
Yes this includes all organisations dabbling in web analytics… No there’s no threshold (that previously was) of 250 or 500 staff minimum.
But hey, there’s arrangements to hire a Functionary — Privacy Officer works better — for less than full-time or on an (on-going) assignment basis. Come to think of it; the mandatory full independence of the PO (party commissioner, anyone?) may sit better with a hired hand/consultant than with someone on the payroll.
Still, one better study the task list for such a PO. Not a C3PO… The bumbling-through-overly-decent butler is not quite the role model you’d want. Or… you’d want the PO to be such, a harmless nuisance. But then, you waste the PO and budget, and still will be vulnerable. The common anglo-saxon (hopefully -only but doubtful) approach that if something goes wrong, you fire the sitting duck scapegoat and hey presto no more worries all are done, satisfied and no damage’s done, will not work here if it ever did. On the contrary, purposeful negligence, wrongful act, et al., may easily be construed, resulting in long-term mismanagement (still a capital offense…! Oh why can’t we jail all the white collar criminals) the misfortune of all your employees, clients etc. will fall on the Board for once… last paragraph of this applies.
To return to the positive: When arranged well, some things in business may have to change but overall, both your processing will run more smoothly (sic) and you public posture will improve (leading to improved data quality, new clients, and the world is yours, right?).
So, draft a PO Charter and hire me.