GDPR: A Closer Look at a Company’s Stakeholders and Their Obligations
Anyone involved in a company-wide EU General Data Protection Regulation (GDPR) initiative will probably agree that this isn’t an ad hoc approach—it’s a high-grade, cross-functional program. Typically, GDPR programs involve several work streams running in parallel across multiple business lines and geographies. And no matter how many people and business processes are involved (or what their titles and roles may be) they will all fall under four major stakeholder groups. In this blog, I’ll detail each group’s primary obligations.
CEO and Board of Directors
The CEO and board of directors will be interested in:
- Impact of GDPR on business processes: Achieve top to bottom review of relevant privacy data being processed within the business processes. Understand risks and challenges as well as new opportunities.
- Employee trainings about new requirements. Creating awareness of how they should be taking notes and recording information about their customers, prospects, and employees.
- Protect against GDPR-related fines, impact on directors’ and officers’ liability insurance (also known as D&O Insurance). Company’s current GDPR risk exposure.
- Cost effectiveness of data. Is the company collecting and accessing more personal data than is needed? Check possibilities of reducing the amount of data being gathered since continued accumulation of siloes of unused, and potentially toxic, data increases the need for encryption—and therefore will require more investments.
CCOs, CROs, and Related Roles
In contrast to the data protection officer, the chief compliance officer (CCO) and chief risk officer (CRO) will focus on “Lawful Processing” Art. 6 GDPR and “Accountability” Art. 5 GDPR to demonstrate compliance by:
- Introducing clear company-wide data protection policies to ensure agility to potential breaches and be able to inform the relevant authorities quickly
- Establishing an accountability framework by adding documentation of current risks and controls for the GDPR regulation into the existing internal controls system.
- Incorporating a risk-based approach by assessing the “likelihood and severity of risk” of personal data processing operations. For example, “high-risk” processing operations will raise additional compliance obligations, such as data protection impact assessments (DPIAs) and so forth.
- Encouraging a culture of monitoring and assessing data-handling processes
Data Protection Officers
All businesses that market goods or services to customers within the European Union and collect data must appoint a data protection officer. The DPO works on behalf of the customer’s privacy. Thus, many of the recommendations of a data protection officer will run contrary to the aims of other data roles within the company.
The data protection officer (DPO):
- Keeps up on laws and practices around data protection
- Conducts privacy assessments internally
- Ensures that all other matters of compliance pertaining to data are up-to-date
- Is responsible for advising the organisation of their obligations and monitoring compliance
- Must report directly to the highest level of management and have “expert knowledge” of data protection
- Can also be outsourced
CISOs, CIOs, and Business Process Owners
These roles generally deal with keeping a company’s data safe and making sure that these troves of data are being exploited to improve business functions across the company. The chief information security officer (CISO) will:
- Define GDPR requirements in the security strategy
- Manage information risk management, security incidents, and crisis management
- Be responsible for cyber security, including monitoring access to personal data and reporting of data breaches
- Limit who has access to personal data and make sure that access is authorized and reflects personnel changes that happen within an organization
The chief information officer (CIO) can advise the DPO on technical solutions, and will typically focus on architecture and fulfilment of new rights of the data subject (Chapter 3 GDPR). These include:
- Data subject’s consent for processing of personal data which might be revoked at any time
- Data subjects—like customers, subscribers, users, employees, partner, external workforce and so on—will get extended information rights: the right to correct information, the right to export and transfer, as well as the right to be forgotten.
- Information that is no longer required to be stored (for legal reasons, for example) is expected to be completely removed from all storage systems
As I stated earlier, actual titles and roles will vary from organization to organization, but organizations underlying the EU GDPR will each need to establish comprehensive programs addressing these key data privacy areas. The more automated and integrated the program is (with existing business applications, audit, and compliance tools) the more effective, cost efficient, and preventive this program will become.
For more information on the new regulations, read our other GDPR blogs.