GDPR has been on the horizon for some time now and most business owners are generally familiar with the overarching principles and terminology behind the regulations, which will be enforced on 25th May 2018. But there remains some confusion over the finer details, particularly regarding data controllers and data protection officers (DPOs) and their remits.
Some people assume they are one and the same thing, but the two roles are entirely different and should be fully understood as business owners prepare for the looming legislation.
Data controllers are not necessarily specific people within an organisation; the term refers more to the application of responsibility for the security of data. If businesses collect and store personal information, they are, by definition, data controllers. Put simply, it means the person or organisation that collects and stores data.
There might be one person within a company who formally has the title of data controller or something similar, and is nominated to be responsible for ensuring GDPR compliance, but often the responsibility will be managed along with other duties.
For many smaller firms, a senior member of the business will take on the responsibility for management of data control issues, because they are best placed to assume this role. In other cases, the responsibilities may simply be allocated to different people – there is no hard and fast rule. However, due to the GDPR legislation, some organisations will need to formally appoint a data protection officer who will have data control responsibilities in their remit.
Data protection officers
According to the GDPR, organisations that process or store large amounts of personal data must appoint a DPO to oversee it. In article 39 of the GDPR framework, the responsibilities and tasks of a DPO are outlined. To summarise, the key areas include:
- Educate the organisation and employees on important compliance requirements
- Train staff on what is required to process data securely
- Conduct spot-checks and audits to ensure compliance with GDPR
- Address non-compliance, or potential security breaches proactively
- Act as the primary point of contact between the organisation and the GDPR supervisory authorities
- Keep detailed records of all data processing activities conducted by the business, which includes a detailed explanation of the purpose of all processing activities, which the DPO must make public on request
- Inform ‘data subjects’ about how their data is being used, their rights to have their personal data erased and explain what measures the organisation has put in place to protect their personal information
Choosing a DPO
One of the key messages at the heart of GDPR is that organisations must be fully prepared to ‘own’ their data and to place a greater emphasis on its importance and value.
Appointing a DPO instills this requirement and indicates how serious business owners are taking GDPR. Hiring a DPO need not be a complex process, but it is important to find the right person for the job.
That individual does not require any formal qualifications, but should have “expert knowledge of data protection law and practices”, according to the ICO. They should also have a strong knowledge of existing UK data protection law that predates GDPR.
For those organisations that sit on the cusp of being large enough to require a DPO, but still struggle to justify the cost, it is possible to share a DPO with a similar business.
The recommendation is that each business has its own, but it is legal to have one DPO that oversees processes for a number of organisations. Those going down this route must be very clear on the activities being carried out by the DPO and ensure the person responsible is easily accessible.
While the terminology may be slightly confusing, it is crucial to remember the spirit of GDPR and why it was introduced in the first place. Business owners must be able to prove they understand the responsibility that comes with handling data and show evidence that they have systems in place to deal with it.
Knowing the difference between data controllers, data processors and data protection officers is one of the first steps to creating a plan that results in GDPR compliance.
By Mike Blackburn, managing director, I-COM