Who is responsible for GDPR compliance in your business?
This is a question I come across time and time again in companies of all sizes & businesses of all types. Who exactly is responsible for GDPR Compliance? Is it the owner? the staff? HR department? Online team? the Data Commissioner? The Data Protection Officer? The GDPR officer?
In all honesty this is a really difficult question to answer, after all, the GDPR is a complex piece of legislation and there are a lot of moving parts to it. GDPR is unlike many other aspects of business as it is one affecting all staff & one that everyone needs to pitch in on to ensure compliance. I’ll give you examples so you can see just where & how GDPR might fit into your business.
Example One – Mint Motors. An entirely fictional company run by Ms Mint. She owns the business and works daily from the showroom but there’s a business manager, three department heads, a website / marketing person, an IT systems person, 8 mechanics & 4 sales people. Mrs Mint attended a GDPR training and decided to appoint Dave, the business manager as the DPO (Data Protection Officer). Dave is now the go to person for all things GDPR but EVERYONE in the company has a role to play. Dave gets to work and ensures that all staff are properly trained on GDPR requirements and correctly understand exactly what their role is. In a business like this, with many people & departments, it is so important everyone knows and understands how to correctly protect and use personal data. Online Data needs to be protected by the IT & marketing team, ensuring measures are taken to encrypt sensitive information, and being cautious about sharing data with third parties. The mechanic team is trained up on having a GDPR friendly work space, what data they are recording via phone & correct record keeping and similar again for the sales team. By following these steps, Dave has made sure that the whole company staff are acting within the GDPR and that Mint Motors are compliant, ensuring GDPR compliance is everyone’s responsibility.
Example Two – Mr Collins is an entirely fictional therapist it’s just him & his clients so here the responsibility lies with him. After spending an evening going through pages of old notes, folders & checking his emails….he realises that he holds a LOT of data. There are old records with names and addresses on then notebooks with scribbles & thoughts jotted down. He isn’t sure what he needs to cover exactly or what he can keep vs get rid of and exactly what paperwork he needs to hold on to. Even then how should he go about getting rid of the things he doesn’t need to keep? In this situation he made the call to work with a GDPR Specialist to correctly review and assess the situation and put him on the road to compliance.
As you can see, every business is different and each situation is different so the responsibility of compliance is an ever evolving and complex question to answer. If you’ve read this and are thinking you need to work with someone on GDPR I’m here to help! I conduct reviews and audits of businesses both on and offline, large and small, staff and no staff. I also offer a DPO service where I can act as the DPO for your business and pitch in when needed. If you are running an operation where you can appoint your own DPO I can conduct training with them & with all staff to ensure everyone knows what role they play. The important thing is that no one buries their head in the sand when it comes to just how important GDPR is!