Building your team and finalising the programme
Achieving GDPR compliance will require a cross department team. In modern organisations personal data is typically held across multiple departments – human resources, sales, marketing, IT and finance all process personal data on different data subjects for different purposes. With your data map in place, you’ll be able to determine exactly which departments need to contribute an individual to the team.
Appointing a data protection officer (DPO)
An effective team needs a leader. To decide on who will be the leader, an organisation must make a determination as to whether or not it needs to appoint a DPO. Under Article 37, DPOs are required for public bodies and any organisations whose core activities involve regular and systematic monitoring (or processing sensitive data) on a large scale.
You’ll see some terms underlined above. That’s because they require more explanation and WP29 provides us with it:
- Core activities are the key operations necessary to achieve an organisation’s goals. They don’t include ancillary activities, like payroll. But they involve processing that forms an inextricable part of an organisation’s activity, for example, a hospital’s core activity is to provide healthcare and this could not be done without the processing of patients’ health data.
- Regular and systematic monitoring is monitoring that is regular or occurs at intervals, is repeated at fixed times and/or is constantly taking place. ‘Systematic’ means it occurs according to a system and/or is carried out as part of a strategy. For example, internet tracking and behavioural advertising are considered regular and systematic, as are loyalty programmes.
- Large scale is a less defined concept. There’s no set quantity for what would be considered large scale, but organisations should consider the following factors: number of data subjects, volume of data, duration and extent of processing.
If an organisation meets any of these requirements it must appoint a DPO. It doesn’t matter if it’s a controller or a processor. It also doesn’t matter if it’s a small or medium-sized business. Regardless of its size, any organisation that meets the requirements for a DPO must appoint one.
If an organisation doesn’t need to appoint a DPO it can voluntarily appoint one, but if it does so the DPO will attract all the obligations of Articles 37 to 39. So, if an organisation doesn’t need to appoint a DPO, it can appoint a data protection representative (DPR) who is responsible for data protection without DPO status, but then the job title and contract must make it clear that he or she is not a DPO as defined under the GDPR.
Role of a DPO
A DPO will have some responsibilities other than leading the team and implementing your GDPR compliance programme.
A DPO must report to the ‘highest levels of management’, i.e. directly to the Board. DPOs need not be full time, they can be part time as long as that time is sufficient for them to fulfill their duties. The DPO role also doesn’t need to be an internal position, the DPO can be outsourced to a third party.
The duties of a DPO are to oversee the organisation’s compliance with the GDPR. These include:
- informing and advising the organization and its staff of their GDPR obligations
- monitoring the organisation’s compliance with the GDPR which can include responsibility for its data protection policies, assigning responsibilities, raising awareness and training staff and auditing
- providing advice on data protection impact assessments (DPIAs)
- acting as the liaison between the supervisory authority and the organization. Note that a DPO is not personally liable. The ultimate liability rest with the organisation. Therefore the organisation must unsure that the DPO has the resources to carry out the necessary tasks.
Appointing an EU representative
If your organisation is not established in the EU but must comply because it sells goods or services to or does regular and systematic monitoring of EU data subjects, then it’s required to appoint a representative in the EU. This requires setting up a contract with the designated party.
Selecting the members of the team
The data protection representative (DPR) appointed to lead your team should choose a member from every department that processes personal data. At a minimum, even for the smallest organisation, it’ll probably be a two or three-person team consisting of someone from HR and sales or marketing since almost every organisation will process personal data of its employees and its clients.
Developing a programme
The first step towards developing a programme is to complete an audit of all data processing activities in order to understand and assess the legal grounds on which personal data is collected and used. This would’ve been done as part of the data mapping process we explained in the first lesson. The programme needs to include at a minimum the following elements:
- Gap analysis to determine compliance of current processing practices with accountability principles
- Review of consent management practices and policies
- Review of data subjects e.g. are you now doing online business with children?
- Review of privacy notices and policies
- Policies, training and systems to ensure handling of data subject access requests
- Review of automated decision making and profiling to ensure its legality
- Review of IT security, including policies, procedures and technology
- Review and development of breach incident response plans
- Review of vendor contracts
- Review of international data flows to determine their legal adequacy
Additional staff may be pulled into the process on an ad-hoc basis in order to implement the programme. As such the DPO, together with management, should begin an organisation-wide communication effort to raise awareness of the GDPR, its impact and its importance to the organisation.
This communication exercise will ensure that individuals support the DPO or DPR in implementing the programme. As part of this awareness raising efforts, staff should be made aware that if they have access to personal data they will receive specific training in relation to the GDPR.
Now that you have your team, your programme, the buy-in and the awareness across your organisation you’re ready to begin!
If you’re looking for a system that will not only help you create the programme but also document every step along the way, look no further than GDPR365.
GDPR365 enables you to easily get your compliance documentation in place, train your employees and manage your direct marketing, HR and IT services. GDPR365 manages and stores all contract documents with your processors and for sharing agreements. GDPR365 provides full workflows to manage data subject access requests and breaches in the security of your personal data.