A new profession in Belarus - data protection specialist. Who is suitable for whom?

The issue of personal data protection is acute for Belarusian business. Only recently, three high-profile cases of leakage of customer data of large companies in Belarus have become known. Since November 2021, when the law "On Personal Data Protection" came into force, every company has an obligation to appoint a structural unit or a person who controls the processing of this data. Such a profession is an analogue of the sought-after position of data protection officer (DPO), which has long existed in European and other countries. This responsible person plays a key role in the organisation's processing of personal data. The purpose of the DPO is to prevent possible violations of personal data protection legislation by the company.

Is there always a need for a chief personal data officer?

We emphasise: a responsible person is appointed in every organisation, including public bodies.

There are no exemptions today - for example, for organisations with a small number of employees or organisations that do not do large-scale processing.

These requirements do not apply only to natural persons, sole proprietors, lawyers, notaries, craftsmen, tutors and mediators.

How to organise work on personal data protection. Options.

Depending on the scale of personal data processing, companies have several options to address the issue.

Option one: Create a separate structural subdivision

Suitable for: large organisations that process large amounts of personal data and where such processing involves significant risks to the data subjects.

It is recommended that such a unit include not only legal advisors, but also persons with technical backgrounds to analyse processes in a comprehensive manner. The number of such staff depends on the scale of data processing.

Option two: employ a separate specialist on staff

Suitable for: organisations that process personal data on a large scale, but on the condition that one person can still control all processing.

Such a specialist should report directly to the Director of the company. This will ensure the independence of the employee and allow him/her to fulfil his/her duties effectively.

Option three: delegate these functions to one of the employees

Suitable for: those who work with a small amount of personal data.

However, such an employee cannot be any person in the company.

Here are the requirements that need to be met:

  • the processing of personal data must not be the main activity for that person in order to avoid a conflict of interest. For example, it cannot be employees of the HR or accounting department;
  • the employee must have the objective ability to fulfil his or her functions given his or her current responsibilities. It is not appropriate to appoint someone to such a position who works on a low rate if the organisation processes large amounts of data.

Option four: assign these functions to several employees

For example, control over the implementation of organisational and legal measures for the processing of personal data is best entrusted to a lawyer. But control over the implementation of technical and cryptographic protection measures for personal data is better entrusted to an information security specialist. He or she will be responsible for developing and implementing technical security measures, controlling access to data, and detecting and responding to possible threats and breaches.

Or you can hire a contracted data protection specialist.

What a data protection officer does: functionalities

  • Organisational functions: study and analysis of personal data processing processes, identification of risks associated with such processing, development and keeping documents up to date.
  • Consulting: counselling and familiarisation of employees with personal data legislation.
  • Control: inspection of compliance with the requirements of personal data legislation in the organisation;
  • Organisation of employee training on personal data processing and protection;
  • In addition, such an employee may review applications and complaints of personal data subjects (e.g., the company's customers), as well as interact with the National Centre for Personal Data Protection.

What if there is no data protection officer?

The National Centre for Personal Data Protection, during inspections in 2022, often detected violations such as the absence of a responsible person in the enterprise or the formal assignment of duties to some employee who cannot perform them.

Such violations are punishable by a fine of up to 50 basic units (part 4 of article 23.7 of the Code of Administrative Offences).

In addition, we would like to draw attention to an important point: the appointment of a data protection officer does not exempt a company from liability in the event of a breach of the Personal Data Protection Act. Simply put: this responsibility lies with the company as a whole, and the person in charge is responsible for fulfilling his or her duties.

Dear journalists, use of material from the REVERA website in publications is only possible with our written permission. 

To approve material, please contact i.antonova@revera.legal or Telegram: https://t.me/PR_revera