There are two elements to this – first, who should be responsible for ensuring GDPR compliance, making sure your business is ready with systems and processes in place for the May 2018 deadline, and secondly, who will have overall responsibility for data protection on an ongoing basis.
Of course the answers to those questions might be the same and there is likely to be at least some overlap.
Getting compliant with GDPR
In terms of who is responsible for compliance, it is important not to pass this off to an administrator or similar – although many of the administrative tasks involved in compliance can and should be managed by staff who will be the ones processing the data, it is vital that GDPR compliance is ‘owned’ at the highest level, i.e. by those with overall responsibility for running the business.
It’s also important to acknowledge that the GDPR affects several areas of any business. Employee data is obviously key, so HR involvement is important, but there are many other areas of any business which are likely to hold data and should therefore be involved in a compliance programme.
Your business is likely to hold marketing and/or customer data, and your finances may also involve personal data. Take steps to understand where data is and put together a team which accurately reflects the importance of the task and the various business functions involved.
Responsibility for Data Protection on an ongoing basis
Some organisations will be required to appoint a Data Protection Officer (DPO) under the GDPR. If your organisation fits into one of the following categories, you will need to do this:
- public authorities;
- controllers or processors whose core activities consist of processing operations that, by their nature, scope or purpose, require regular and systemic monitoring of data subjects on a large scale (e.g. organisations that conduct online behaviour tracking); and
- controllers or processors whose core activities consist of processing sensitive personal data on a large scale (e.g. health service providers).
The DPO should be an individual with expert knowledge of data protection law. If you need to appoint a DPO this could be someone internal, or could be outsourced to an external contractor.
Most small businesses won’t fit into those categories so won’t need to appoint a specific DPO with expert knowledge. However, even if an organisation is not required to appoint a DPO, it should assign the responsibility for compliance with data protection legislation to a specified individual.
This should be someone senior internally, ideally with a good understanding of the requirements of the GDPR and the principles of data protection, and in a role which perhaps naturally fits in terms of a large part of their remit involving data. Appointing someone senior is key as part of having systems in place to demonstrate that your business is compliant and take data protection seriously.
If you’d like some advice on a compliance programme for the GDPR or are unsure who should be responsible in your business, get in touch.