So, your compliance officer has had data protection compliance as one of his objectives since the year dot. He's bound to be all over GDPR. You definitely have it covered, right?
With the impending introduction of GDPR, data protection compliance can no longer be the responsibility of just one person in your organisation, or a matter of marginal concern. Everyone in the business needs to understand GDPR, what it is and the importance of putting data privacy at the heart of your policies, processes and practices.
This means that:
- the directors, or others responsible for the management of your business, need to have GDPR firmly on their agenda. The widely-publicised penalties for breach of the GDPR and the equivalent legislation being introduced in other non-EU countries (including the Channel Islands) are designed to make data protection an issue for those at the highest level of the organisation
- public authorities, and private sector businesses carrying on high risk processing, must appoint an appropriately qualified and independent data protection officer who will be responsible for overseeing data protection compliance. The data protection officer will need to keep up to date with developments, report directly to management on a regular basis, and liaise with the regulator to the extent required. Other organisations who are not mandatorily obliged to appoint a data protection officer should also consider doing so as a matter of good practice
- a framework of accountability should be introduced so that all project and team leaders at every level of the business are given responsibility for ensuring compliance with the processes and procedures being adopted in line with GDPR
- regular training should be given to all personnel so that they understand the key requirements of GDPR, what their obligations are and why this is so important to the business
Importantly, you also need to look outside your organisation, to your suppliers and others who will process the personal data you control, to ensure they will comply with the GDPR from May 2018. It is your responsibility as the data controller to exercise a high duty of care in selecting these data processors. Start the discussions now to find out what they are doing to prepare.