Organisation Responsibilities to the DPO

Context:

Where the GDPR mandates that a DPO is required it also stipulates that the organisation provides an appropriate level of support to the DPO to enable them to carry out their duties:

The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks…

Considerations:

Ensure that your appointed DPO has the required skills and experience to perform the role. Then make sure that they report to the most senior level of management within your organisation – either directly to the board or owners of the organisation.

Whist the GDPR outlines some broad areas of responsibility, what is key is that you are able to evidence that the organisation has supported the DPO. In this context this is an ongoing documentary exercise rather than a one-time effort

It is also a requirement that the DPO operate without any conflicts of interest. This generally precludes the DPO from holding senior management positions such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments. In short the DPO should not be someone who decides how or what personal data to process.

How to:

Be able to demonstrate and have documentary evidence to show that the DPO has been supported by the provision of several of the following:

  • Access to all areas and information relating to data protection within the organisation
  • Finance required to support activities, initiatives, communications and training
  • Appropriate systems, tools and infrastructure
  • A direct reporting line to the board/owners
  • In larger organisations, a team of support staff
  • Where the DPO has other duties, time to perform the role
  • Ongoing training provision

Common Scenarios:

The DPO needs to provide GDPR awareness training to staff

  • Ensure the DPO has the time and budget available to construct and conduct the training. Emphasise the importance of the training to other staff members.

The DPO needs to report on compliance with the GDPR

  • Provide the DPO with the tools and systems needed to monitor compliance with the GDPR. Allow the DPO access and time to provide these reports to the top level within your organisation.

References:

  • GDPR Recitals: 97
  • GDPR Articles 38, 39

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts