It’s not too late! GDPR “D-Day” is just over a month away, so it’s never been more important to ensure you’ve got everything in place to ensure you’re compliant. We’ve done a number of posts recently about the legislation and the effect it will have on your business. For this post, we decided to focus in on a particular job role who’s world will be most flipped upside down by GDPR – the data protection officer.
Under the current Data Protection Act (1998), there is no requirement for any business to have a data protection officer, but acting in the best interests of their customers and employees alike, many businesses do have one. This is set to change under GDPR, which leads us nicely onto our first point.
Get yourself a DPO
First things first, if you’re reading this, and you’re not a data protection officer, and your business doesn’t have one, you should seriously consider appointing one. As we mentioned in a previous blog post, GDPR sets out a specific requirement for public authorities to appoint a DPO, but also states that businesses whose data processing is “of a certain nature” are also required to appoint one. This is a bit woolly, but considering the significance of GDPR and the potential consequences if you don’t comply, it’s probably a good idea for any business to appoint or name someone who is responsible and accountable for data control and protection.
Will the real DPO please stand up?
The key thing for you as a DPO when it comes to GDPR is ownership. In your role, you have a responsibility and obligation to your business to own and govern data practices in accordance with GDPR. As part of this, you should make your contact details and GDPR-ownership known and available to internal stakeholders, customers and regulatory bodies (such as the ICO). This is actually a requirement under GDPR – it states that the DPO should be “easily accessible as a point of contact for our employees, individuals and the ICO.” And with documentation being a massive part of the updates to the legislation – once you have been nominated as the DPO, document, document, document. Keep all relevant details in a centralised and accessible location, send out an internal memo, and for bonus points, make the contact details available on your website and send a note to customers, partners and suppliers to make them aware of your new role too. If you’re a long-standing DPO, it might be worth reaffirming this message and ensuring internal and external stakeholders know who you are.
Communication is key
Related to the above point about making yourself known to the wider business and other stakeholders, it’s important for DPOs in a post-GDPR world to have an active – and preferably proactive – role in the business. DPOs should be looking to host meetings and seminars in order to ensure that the wider business understand any new processes, requirements, and their specific job role or function’s responsibilities under the updated legislation. Without clear and consistent communication, you can’t hope to ensure that standards are upheld throughout the business – potentially exposing you to non-compliance.
Your job role shouldn’t actually change – that much
Chances are, if you’ve been the nominated DPO in your business for a while, you’ve probably put in a lot of the practices and processes you’ll need in order to go a long way in complying with GDPR. It’s most likely to be about tightening everything up, reviewing your existing procedures and identifying areas where changes need to be made. The most likely shift in your data protection related tasks will be around documentation – and the increased need for it. Don’t forget that under GDPR, you are explicitly required to document your data processing activities and records on processing purposes, sharing and retention among other things. For more information on the types of things you need to document and have in place for GDPR, download our free checklist.
We can help
A continent-wide legislation change is a big burden to bear for a single entity within a business, and the bigger your business, the more moving parts there are to bring in line. XPO IT Services can help you ensure that your data processing activities in relation to end-of-life hardware are 100% GDPR compliant – we put in place airtight SLAs as well as our own internal processes to ensure compliance. Data getting into the wrong hands after it leaves your premises is a massive risk to data protection, and we can help. If you would like to discuss further, get in touch.