The General Data Protection Regulation (GDPR) is due to come into full effect in May 2018, giving companies less than one year to come into compliance. Many firms are concerned about the regulation, which imposes fines for non-compliance and data security breaches. So, who needs to manage compliance internally?
There is a huge amount of confusion around GDPR, from what the regulation is to who it impacts, and one particular area of confusion is around who, within companies, bears responsibility for issues related to the regulation.
Some believe that GDPR efforts should be led by the Chief Information Officer (CIO), while others have pointed to the Chief Information Security Officer (CISO), given the stringent security requirements. Others believe that the CEO and board are ultimately responsible for compliance, with some IT practitioners suggesting the emerging Chief Data Officer (CDO) could have a significant role to play.
Accountability is at the heart of the updated data protection regulation, which replaces the 1995 Data Protection Directive. So, who in the business should take responsibility for managing GDPR?
Experts say that everybody in the company is responsible. Therefore, a company’s senior employees – the data protection officer (DPO), chief data officer (CDO), CIO, CISO – must work together to ensure a smooth path to achieving compliance.
At the same time, someone needs to lead the project. Strong leadership is important, says Duncan Brown, associate vice president, European Security Practice, at IDC EMEA.
“Sometimes it comes down to someone stepping forward and saying, ‘I should be on this’,” he says.
GDPR compliance efforts need to go right to the top of the company: firms cannot be fully compliant without board involvement. After all, eventually it is the board who is accountable, points out Saurabh Ghelani, digital trust and GDPR expert at PA Consulting Group.
Ghelani advocates a cross-functional leadership team comprising senior representatives from all business areas, including marketing, customer service and procurement. “This will make implementing GDPR a success,” he says.
Data protection officer
Part of the GDPR stipulates that some companies should have a data protection officer (DPO) in place by May 2018. This is leading some firms to assume the DPO should take charge of every aspect of GDPR.
This is not necessarily the case. In GDPR, the DPO’s role is to make sure the regulation is adhered to, says Tim Grieveson, IT and change director at general insurer Legal & General, and former chief cyber security strategist at Micro Focus. Meanwhile he says: “Everyone, from the board of directors down, has responsibility and accountability in GDPR when dealing with citizens’ data.”
In addition, according to Brown, the DPO role is not suited to overseeing all decisions relating to GDPR: “The nature of a DPO is they should not be a decision maker determining data processing – for example deciding which software to use. They need to be the internal watchdog of internal processing, so it’s not their role to make those decisions.”
Taking this into account, implementing GDPR is not a one-man show, says Ghelani.
“Embedding GDPR is not only the responsibility of the DPO; it’s also an organisational topic and needs support from all key functions.”
He explains: “The DPO or the legal and compliance functions may drive GDPR implementation initially. However, stakeholders across the personal data ecosystem have an equal part to play in the project as it will impact their roles and activities.”
According to Ghelani, if a company has not yet appointed a DPO, the responsibility of driving the GDPR project should be with a senior management representative who has the “gravitas, mandate and visibility across the business”.
This could potentially be the COO or CEO, he says. This type of role can leverage a company-wide network to implement GDPR in the most effective and efficient way.
The person that should lead a GDPR project also depends on the individual business’s needs. As part of this, it is important to assess how the organisation sees GDPR. “It depends on your approach to GDPR and what business you are in,” Brown says. For example: “If you are a conservative organisation in terms of IT spend and business risk, it might be better to sit in legal departments.”
On the other hand, a company might see GDPR compliance as a positive, in which case it can be marketed as a differentiator. Take, for example, a Norwegian marketing database company dealing with personal data.
“The nature of their business means they are under substantial threat from GDPR,” says Brown. “But the guy who runs the programme is head of marketing. He thinks if they do GDPR better, they can use it as a competitive advantage.”
Brown also cites the example of a company in Belgium dealing with sensitive personal data. “If they lose that, they go out of business. The one who runs this programme is the CEO as it’s their core business strategy.”
Overall, it doesn’t really matter who leads the programme as long as someone is in charge, says Brown. “Whoever leads it, it must be a cross departmental project,” he adds.
It is about working together, across departments, agrees Grieveson. He advises: “Mobilise a greater workforce – not just the CIO and IT team. Bring in marketing, and risk and compliance. [GDPR] is everyone’s responsibility.”
Once someone has been chosen to lead the GDPR project, and the entire business is on board, staff training and education must also be considered. Grieveson says training should be tailored to the type of department. “There isn’t one-size-fits-all,” he explains.
Across the entire business, everyone needs to be aware of their responsibilities and the consequences of their actions, says Brown. “We are all responsible at some level for compliance. Companies need to make sure all members of staff are aware.”
“Companies tend to send people to cyber-security training once a year,” he says. “This is not good enough, it has to be a continuous process.”
Grieveson advises firms to look to experienced partners such as Micro Focus: “Our Journey to Value proposition can be used to bring together multiple departments for GDPR compliance.
“Many companies aren't going to be compliant by May 2018,” says Grieveson. “The best thing to do is to see that date as the start of enforcement and continue to develop an approach to privacy that matures as your business changes.”