GDPR Implementation Guide
The only role that is explicitly mandated in the GDPR is that of the data protection officer (DPO). You may or may not need to appoint one of these. If you are a public body there is no decision to be made (you need one), but otherwise you may need to get views from different perspectives within the business about whether you handle personal data on a scale that might be considered large. Your supervisory authority may be able to advise, either directly or via their website, if you are unsure about this. If you do need a DPO, you will need to decide whether to appoint internally, share a resource with one or more similar organisations, or to contract a service from a third party. Make sure the person that is appointed has the relevant competence, including “expert knowledge of data protection law and practices” (GDPR Article 37, paragraph 5). One of the other points you may need to clarify is the supervisory authority that you will report into. For single-country organisations within the EU this should be a straightforward matter, but if your organisation operates in more than one member state, there is the concept of a lead supervisory authority, or one stop shop system, which may reduce the workload in dealing with data subjects in multiple countries. If your organisation is based outside the EU, the one stop shop is not available to you, and you may have to deal directly with several supervisory authorities if there is an issue. There is however a decision to be made about who will be your representative within the EU for GDPR purposes. If your organisation deals with customers in many member states, you should try to choose a representative in a member state you do most business with. Remember that you will need to be able to justify this choice, but there may be some flexibility if you have a preference. You also need to identify the training needs of the people that are taking on the various roles involved in achieving compliance on an ongoing basis. This may be done by defining what competences are required (use GDPR Competence Development Procedure) and then conducting a comparison exercise by questionnaire to find the gaps (use GDPR Competence Development Questionnaire); these may be filled via a combination of formal and informal training, including courses, webinars, seminars, books and, of course, reading the Regulation itself. Training may typically be needed in areas such as data analysis, data protection impact assessments and incident management.
5.3 Step 3: Personal data analysis Relevant Toolkit documents: • • • • • •
Personal Data Analysis Procedure Legitimate Interest Assessment Procedure Records of Processing Activities Personal Data Analysis Form Personal Data Analysis Diagram - VISIO Personal Data – Initial Questionnaire
www.certikit.com
Page 21 of 33
