So, who is the person at the “sharp end” of the wedge, as far as data protection is concerned?  It is the poor data controller.  This is the person who has a lot of responsibility, perhaps without a lot of knowledge, who often feels out on a limb with little support.

Responsibility yes, but any accountability lies with the owners/directors of an organisation. They have to make sure that everyone understands their role. That means they need to know how to protect the organisation from leaks, breaches, etc.

Then you get the people actually doing the work (the data processors – as the law sees them) providing feedback – alright complaining – to the data controller because of what is happening at grass roots level.

If what you do is complex enough, in the eyes of the regulation, you will also need a Data Protection Officer.  This person reviews the output of the Data Controller and advises the owners/directors of activities that could be undertaken to reduce, or remove, risk.

Let’s look at the key responsibilities of these four types of people.

 

Data Controller

As we have already mentioned the poor Data Controller a little, let’s start putting some “meat on the bones”, as it were.  First and foremost, the Data Controller must be a part of the organisation, not a contractor, or other outsourced resource.  The responsibilities of the Data Controller are to control what goes on in the organisation.  They also need to report it to the senior management.  Control in this sense would also mean to help design the controls and reviews to be implemented by the organisation for them to comply with data protection legislation.

Organisations need to ensure that the Data Controller has the resources (knowledge, time and/or assistance) required to complete the tasks required for the role. They also need close contact with both senior management and the processors.  In other words, the Data Controller can have help to complete the tasks that make up this role, but they would have the responsibility for their completion.  In larger organisations is can be common to have more than one Data Controller, especially having one dedicated to HR matters.  One key matter to be addressed is appropriately controlling the processing of Special Category Data.  The most recent laws require additional controls and/or techniques when handling this type of data.

Documenting the recommendations from the Data Controller to those higher in the organisation, or trustees in a not-for-profit organisation, is a key responsibility that the Data Controller cannot escape.  This also acts as their safety net as these will prove that they are fulfilling their obligations correctly.

 

Data Processor

As mentioned above, these are those that “DO” what is prescribed by the policies and procedures of the organisation.  It is expected that the communication between the data processors and the data controller(s) are constant and monitored.  Feedback on what works, and what doesn’t, from the processes to be followed by the Data Processor is vital. This helps the organisation identify requirements – even if this is further training.

It is important to understand that Data Processors can be financially penalised for wrongdoing, but not for poorly controlled or poorly written processes.  There are many cases where those processing data have illegally used data for their own profit, or other gain, have received both a fine and a criminal record.

 

Data Protection Officer

The Data Protection Officer (or DPO) carries an advisory role for any organisation that either a) is required to have one from the ICO guidelines, or b) elects to have one due to their own diligence.  The role of the DPO is effectively the same no matter what the reason to have one identified by an organisation.

The DPO is the one role that be outsourced, which is particularly useful to smaller organisations. There are still guidelines to be considered.  DPO’s should:

  1. Have appropriate professional qualifications.
  2. Be able to provide effective oversight.

The DPO’s tasks are specified in Article 39 of the regulation (apologies for the reference, but it can be easy to Google this bit) but can be thought of like this.

The best way to think of what responsibility a DPO has is that they are to take a risk-based approach to an organisation’s activities.  The senior management are then accountable for the decision made whether the risks identified are mitigated or accepted (basically do something about them or ignore them).

 

Owners, Directors and Trustees of not-for-profit organisations

The highest level of an organisation is where the accountability for compliance of all regulations is to be found.  The Data Protection Act 2018 re-enforces this to such an extent that the ICO count this as a seventh principle for compliance to the regulations.

In short, if the direction from the top is to ignore the regulations in whole, or part, then liability can stop at this level. This is irrespective of what the Data Controller can or cannot evidence as being presented to the senior management.  The implementation of personal financial penalties of up to £500,000, by the UK regulator, for senior management backs-up this stance. The does not stop the organisation being penalised as well.

 

If you are not this far along yet and want an overview, look at this

https://eyebray.com/frequently-asked-questions-about-the-first-steps-on-your-data-protection-journey/  This is an article covering the 10 most important points to make sure you start your journey on data protection compliance in the best way.

 

There is so much more information available, some of it very detailed.  Please look through the other blogs and see if the information you want is provided.

 

If not, we would be pleased to answer your enquiry through enquiries@eyebray.com , or visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.