As a small business, do I need to appoint someone to look after privacy compliance?
Ask the question “who wants to be data protection compliance officer?” in your company and you’ll get a variety of evasive (and sometimes rude!) answers. It seems nobody wants to make sure that the company sticks to the privacy straight and narrow. After all, who wants to interpret DP law and translate it into company practice? And there’s not even a legal imperative for the job in the UK (although this is likely to change with the new European Regulation). However, any company operating without guidance in this area can disappoint its customers by failing to honour its data promises.
Appointing a compliance officer is an important step to ensuring a company-wide awareness of the legislation and the business’s own rules for handling personal data. The compliance officer needs to have significant knowledge of and involvement in the company’s processing. He or she need not have a legal or technical background but must have a thorough knowledge of the law, codes and industry best practice.
The role is essentially to serve as a central resource for all departments which process personal data, advising on the implications of the law and developing – in common with other managers in the business – the company’s privacy and data protection policies.
Whilst the scope of the role will vary depending on the complexity of the processing undertaken, it is worth remembering that the eight European principles of data protection apply equally to small businesses.
Auditing the company’s compliance performance is a vital, if not necessarily popular, task. The compliance officer needs to be of sufficient seniority to be able to enforce company procedure and should communicate the issues to those who run the company. It goes without saying that he/she must have the backing of the management to enforce procedures which are designed to ensure compliance.
The role is not just that of data policeman; there is also a major strategic element. The privacy landscape changes regularly and new countries are passing legislation all the time. The compliance officer should make sure that the company’s use of data is future proofed by adopting sensible privacy policies.
Maybe it’s the job title that puts people off. You may need to be creative to persuade the right candidate. Try them with “Privacy Prophet” or “Data Czar” at least these titles better reflect the potential value of compliance to the business.
Published October 2014
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.