Wherever there is society, there is law (ubi societas, ibi ius). This classic legal maxim captures the dynamic nature of the legal profession. As society evolves, so too must its legal and ethical frameworks. Few developments have accelerated this evolution as profoundly as the digitalisation of data. This shift has not only altered how organisations function but has also created a new, critical guardian for the digital age: the Data Protection Officer (DPO). In my view, an effective DPO must champion and embody a mindset of “Integrity by Design”.
The rising value of data – alongside its misuse and abuse – has fundamentally reshaped traditional legal roles. This transformation is most visible in the EU’s General Data Protection Regulation (GDPR), which seeks to safeguard the personal data of natural persons. Under the GDPR, entities that process large-scale or sensitive data must appoint a DPO: a digital custodian charged with ensuring that personal data is processed lawfully, fairly, and transparently. As a public authority, the FIAU is obliged to have such an officer.
Data lies at the core of the FIAU’s mission. Collecting, analysing, and interpreting information is integral to fulfilling our statutory obligations. Yet this centrality of data brings inherent risks. Like a tightrope walker above a crowded street, the FIAU must balance the need to harness data with the responsibility to protect it. Our starting point must always be lawfulness. The FIAU must ensure that the data we obtain is sourced and processed strictly within the scope of our powers under the national Anti-Money Laundering framework. Compliance, however, extends far beyond establishing a legal basis. A modern DPO must be embedded at the heart of organisational processes, not treated as a late-stage reviewer or a box-ticking mechanism.
This is where the principle of privacy by design and by default becomes essential. It requires that data protection considerations form part of the FIAU’s operational DNA, from the initial design of any process, project, or system. In practice, this means implementing safeguards around proportionality, minimisation, retention, transparency, and security. It also means maintaining clear, accessible communication between the FIAU and its data subjects to ensure accountability and trust.
The Evolving Skillset of the Modern DPO
The DPO role today is profoundly multidisciplinary. It requires legal expertise, certainly, but also an understanding of technology, data governance, risk management, and organisational culture. Increasingly, DPOs must provide strategic guidance, anticipating risks, interpreting evolving regulatory frameworks, and advising on technologies such as automated decision-making or artificial intelligence.
This evolution has become even more significant with the introduction of the EU AI Act, which brings a new layer of accountability and risk management to organisations using AI systems. While the AI Act is not a data protection regulation per se, it intersects closely with GDPR principles. DPOs will inevitably play a key role in helping organisations navigate these overlaps, ensuring that AI-driven tools are deployed lawfully, ethically, and transparently, and that human oversight remains central.
Balancing Innovation and Protection
Public authorities increasingly rely on digital tools and advanced analytics to carry out their mandates effectively. Yet with each innovation come new ethical questions. The real challenge lies in enabling progress without compromising fundamental rights. Here, the DPO functions not as a barrier to innovation, but as a critical enabler ensuring that trust and technology advance in parallel.
Integrity by Design: A Public Mandate
Ultimately, compliance is not the end goal. The true objective is public trust. Data protection and the role of the DPO exist not merely to avoid breaches or regulatory penalties but to reinforce integrity in how public bodies operate. When individuals believe their data is respected and protected, they are more likely to trust the broader mission of the FIAU. Without this trust, even lawful actions may struggle to earn social legitimacy.
For me, “integrity by design” is not a slogan but a personal commitment. It serves as a reminder that behind every dataset are individuals whose dignity must be preserved. As long as data remains central to public governance, the DPO must serve as both guardian and guide, ensuring that trust remains our most valuable currency.
Would the public trust the FIAU if they believed we could not protect their data? The answer is self-evident. And it is precisely this trust that the DPO must safeguard every day.
Article written by
Dr Andrea Gonzi, Data Protection Manager, within the FIAU Malta’s Legal Affairs team.