Who should take responsibility for data protection in your business?
There are two elements to this – first, who should be responsible for ensuring GDPR compliance, making sure your business is ready with systems and processes in place for the May 2018 deadline, and secondly, who will have overall responsibility for data protection on an ongoing basis. Read more...
Of course, the answers to those questions might be the same and there is likely to be at least some overlap.
Getting compliant with GDPR
In terms of who is responsible for compliance, it is important not to pass this off to an administrator or similar – although many of the administrative tasks involved in compliance can and should be managed by staff who will be the ones processing the data, it is vital that GDPR compliance is ‘owned’ at the highest level, i.e. by those with overall responsibility for running the business.
It’s also important to acknowledge that the GDPR affects several areas of any business. Employee data is obviously key, so HR involvement is important, but there are many other areas of any business which are likely to hold data and should therefore be involved in a compliance programme.
Your business is likely to hold marketing and/or customer data, and your finances may also involve personal data. Take steps to understand where data is and put together a team which accurately reflects the importance of the task and the various business functions involved.
Responsibility for Data Protection on an ongoing basis
Some organisations will be required to appoint a Data Protection Officer (DPO) under the GDPR. If your organisation fits into one of the following categories, you will need to do this:
The DPO should be an individual with expert knowledge of data protection law. If you need to appoint a DPO this could be someone internal or could be outsourced to an external contractor.
Most small businesses won’t fit into those categories so won’t need to appoint a specific DPO with expert knowledge. However, even if an organisation is not required to appoint a DPO, it should assign the responsibility for compliance with data protection legislation to a specified individual.
This should be someone senior internally, ideally with a good understanding of the requirements of the GDPR and the principles of data protection, and in a role, which perhaps naturally fits in terms of a large part of their remit involving data. Appointing someone senior is key as part of having systems in place to demonstrate that your business is compliant and take data protection seriously.
Of course, the answers to those questions might be the same and there is likely to be at least some overlap.
Getting compliant with GDPR
In terms of who is responsible for compliance, it is important not to pass this off to an administrator or similar – although many of the administrative tasks involved in compliance can and should be managed by staff who will be the ones processing the data, it is vital that GDPR compliance is ‘owned’ at the highest level, i.e. by those with overall responsibility for running the business.
It’s also important to acknowledge that the GDPR affects several areas of any business. Employee data is obviously key, so HR involvement is important, but there are many other areas of any business which are likely to hold data and should therefore be involved in a compliance programme.
Your business is likely to hold marketing and/or customer data, and your finances may also involve personal data. Take steps to understand where data is and put together a team which accurately reflects the importance of the task and the various business functions involved.
Responsibility for Data Protection on an ongoing basis
Some organisations will be required to appoint a Data Protection Officer (DPO) under the GDPR. If your organisation fits into one of the following categories, you will need to do this:
- public authorities;
- controllers or processors whose core activities consist of processing operations that, by their nature, scope or purpose, require regular and systemic monitoring of data subjects on a large scale (e.g. organisations that conduct online behaviour tracking); and
- controllers or processors whose core activities consist of processing sensitive personal data on a large scale (e.g. health service providers).
The DPO should be an individual with expert knowledge of data protection law. If you need to appoint a DPO this could be someone internal or could be outsourced to an external contractor.
Most small businesses won’t fit into those categories so won’t need to appoint a specific DPO with expert knowledge. However, even if an organisation is not required to appoint a DPO, it should assign the responsibility for compliance with data protection legislation to a specified individual.
This should be someone senior internally, ideally with a good understanding of the requirements of the GDPR and the principles of data protection, and in a role, which perhaps naturally fits in terms of a large part of their remit involving data. Appointing someone senior is key as part of having systems in place to demonstrate that your business is compliant and take data protection seriously.
The contents of this page are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.