Who protects your data? How will your organisation govern itself?
The General Data Protection Regulation (GDPR) became UK law on 25th May 2018. GDPR specifically highlights the requirement for transparency, accountability and for organisations to demonstrate they take data governance seriously.
Do you have someone, for example, who can:
- ensure staff are adequately trained, both to prevent data breaches or unauthorised disclosures and identify them when they happen?
- ensure compliance is seen as a priority in all aspects of an organisation’s activities?
- can competently handle individuals’ enhanced rights?
It is worth noting having a Data Protection Office in place is a mitigating factor if/when fines are issued.
How can you ensure you take data governance seriously?
Organisations must ensure they have a clear set of procedures and policies in place to ensure data assets are managed in an effective and compliant manner. For some organisations it is mandatory under GDPR to appoint a Data Protection Officer, the specified circumstances include where;
• processing is carried out by a public authority
• core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale
• processing of special categories of personal data (i.e. sensitive data) on a large scale
Even if you don’t fall under this requirement it might still be prudent to appoint a DPO or, at the very least, ensure someone or a defined team has responsibility for data governance.
It may prove invaluable to have a Privacy and Consumer champion who can also highlight and minimise risk.
The GDPR requires organisations to conduct accountability measures such as Data Privacy Impact Assessments, audits and policy reviews. Are you complying? If not, it’s important to assign responsibility, and budget for data protection within your organisation.
Who should you choose to take ownership of governance and compliance?
The employee responsible for data governance should be a senior member of staff who reports directly to the highest level within your organisation (if you are appointing a DPO, this is a specific stipulation under GDPR). You could opt to appoint someone internally, and if your organisation is relatively small, data compliance could just form part of their role. However, it’s important to consider any conflict(s) of interest.
Can someone from the marketing team take on the responsibility of data protection?
Yes, but perhaps not if they are continuing to carry out day-to-day marketing campaigns. Their desire to implement effective marketing strategies could conflict with their compliance considerations. A DPO or compliance officer should never have financial targets within their job specification.
Can someone from the legal team become the DPO?
Yes, but do you want someone who is used to stipulating the rules, or someone who can balance commercial and compliance considerations and simply highlight risk? It may also be important to consider issues surrounding legal privilege.
Isn’t this something the IT department should own?
Technical security is, of course, an important aspect of data protection compliance – Why marketers need to worry about data security? – but it extends beyond the technology to how employees access and use personal data. A significant number of breaches are caused by the actions of employees rather than technical security failures.
Can the DPO role be contracted out?
Yes, and this is certainly an option for smaller organisations who perhaps only need someone for a set number of hours per month. For example, hiring data protection contractors is a model already widely adopted in Germany.
Whoever you choose, they should be someone with sufficient background knowledge of data protection, with a good understanding of the key principles, rules and regulations. They should also be an effective communicator, who can competently handle customers and clients, train staff and promote compliance. Perhaps most importantly, they need to be able to tell senior management things they might not want to hear.
What key GDPR considerations should your organisation have focussed on by now?
AUDIT & ASSESSMENT
- Assessing all data held, permissioning and whether it will be fit for purpose – What do marketing permission statements need to include?
- Ensuring DPIAs are part of business-as-usual – Privacy by Design, GDPR assessment and DPIAS
- Assessing the challenges of implementing enhance data subject rights – How do you handle individuals’ rights to control their data?
RISKS & PRIORITIES
Highlighting key risks relating to personal data, identifying priorities and budgeting
REVIEW & UPDATE
- Reviewing contracts with suppliers and processors – Processor liability & contacts with external data processors
- How will your marketing platforms need to change?
Ensuring GDPR awareness for all relevant staff.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.