Agreed, we know the velocity of the decisions in the EU, and Germany in particular is pretty good example of how strong it could be with their Federal Data Protection Act:
For a great round-up of the pre-existing(non-GDPR) case law I recommend taking a look at this:
While you have mentioned Germany, it helps to remind me of another regulator's decision on Data Protection Officer (DPO) aligning with Article 37, 38 and 39 under the GDPR during late 2016 while referencing the FDPA:
Totally, that's a no brainer on a conflict of interest, plus a IT Manager does not reach anywhere high enough in the organisation. From the link you referenced:
Companies required to appoint a DPO are thus well advised to carefully consider candidates that are free from conflicts of interest. While it does not appear necessary to preclude a DPO from having other corporate functions, the designated individual should not be in charge of, or have a personal stake in, significant decision-making relating to IT. One potential solution may be to “firewall” DPOs from such decision-making processes. Suffice it to say that this aspect of GDPR/BDSG compliance will be scrutinized heavily by German (and likely other) data protection authorities in the coming months and years.
DPOs advise this separation, so this is good advice.
There is also a school of thought I've come across that says don't call your DPO a DPO, unless you are mandated to have one under GDPR or other frameworks as there might be a heavier burden of expectation. Not the best reason IMHO, but this was from some lawyers.
You have rightfully pointed out, Early_Adopter, "... don't call your DPO a DPO, unless you are mandated to have one under GDPR or other frameworks as there might be a heavier burden of expectation...". The role is a compliance role rather than a risk management function. An IT Manager is more of a risk management or operation role and does not have a legal mandate like the DPO has under GDPR. It creates conflict of interest due to its operative nature as demonstrated in the German authority's opinion.
While you will find others like Singapore embedded DPO in its data protection regulatory rules back in 2014 and not as loudly as GDPR demands, Hong Kong continues advocating the role as a best practice and South Korea as well as Philippines have revised their regulations to accommodate the data protection role legally without mentioning DPO directly.
With GDPR being so descriptive and likely to set a 'gold' standard for the role, we will find these is likely to create a norm or increase expectations for the regulatory environment across the globe in years to come.
Other than outlaw.com:
.... Does anyone know of any legal/media sites that are centralising and tracking privacy-related items and court cases?
('The Register' tracks security news items but it can be quite partisan.)
Definitely - and there's always the possibility that the organisation 'waiting and seeing' could be the subject of a regulatory investigation or court case itself, privacy data breaches being the far-reaching and sometimes unpredictable things they are.
1. Make it cross-department effort, it is not just IT, just Legal, etc. Include Legal, IT, InfoSec, Compliance, perhaps Risk
2. Understand the data-flows and contracts in place - map the data-flows, review the contracts and consent for processing data.
3. Create a process for Privacy Risk Assessment and integrate it into the System Acquisition and Deployment, and Vendor Management processes
4. Implement Records Management practice that will enable the organisation to discover data based on an individual's names or unique identifier.
5. Deploy Threat Detection and Response capability to detect and respond to breaches if they occur
And below are the 5 stages I saw recently in a presentation:
While I am unsure of a website that offers a centralised view about privacy tracking or court cases, I find this article quite useful if you like to know the data protection or privacy enforcement actions taken across the globe, not just EU: