GDPR-DOC-02-1 GDPR Roles and Responsibilities

Page 1

GDPR Toolkit: Version 8 ©CertiKit
GDPR Roles and Responsibilities

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

The document sets out some of the main roles that may be involved in GDPR compliance, together with their relevant responsibilities.

Areas of the GDPR addressed

The following areas of the GDPR are addressed by this document:

• Article 24: Responsibility of the controller

• Article 28: Processor

• Article 37: Designation of the data protection officer

• Article 38: Position of the data protection officer

• Article 39: Tasks of the data protection officer

General guidance

An organisation may be structured in many ways, depending on size, geographical spread, technology, culture and whether customers are internal or external, amongst others. Because of this, you will need to tailor this document to reflect your own organisation’s structure and job roles.

In a larger organisation, these roles will often be allocated to different people. In a smaller organisation, these responsibilities may need to be allocated to relatively few people.

The roles required will depend on whether your organisation is a controller or processor or both and whether your processing meets the criteria for a data processing officer.

Review frequency

We would recommend this document is reviewed annually and upon significant changes to the organisation structure.

GDPR Roles and Responsibilities Version 1 Page 2 of 14 [Insert date]

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions

This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

GDPR Roles and Responsibilities Version 1 Page 3 of 14 [Insert date]

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

GDPR Roles and Responsibilities Version 1 Page 4 of 14 [Insert date]
Disclaimer

GDPR Roles and Responsibilities

DOCUMENT REF GDPR-DOC-02-1

VERSION 1

DATED [Insert date]

DOCUMENT AUTHOR [Insert name]

DOCUMENT OWNER [Insert name/role]

Roles and Responsibilities Version 1 Page 5 of 14 [Insert
GDPR
date]

Revision history

Approval

GDPR Roles and
Version 1 Page 6 of 14 [Insert date]
Responsibilities
VERSION DATE REVISION AUTHOR SUMMARY OF CHANGES Distribution NAME TITLE
NAME POSITION SIGNATURE DATE
GDPR Roles and Responsibilities Version 1 Page 7 of 14 [Insert date] Contents 1 Introduction................................................................................................................8 2 Data protection roles ..................................................................................................9 3 Specific role responsibilities...................................................................................... 10 3.1 Data controller .............................................................................................................10 3.2 Data processor .............................................................................................................11 3.3 Data protection officer .................................................................................................12 3.4 Information security manager ......................................................................................13 4 Other roles with data protection responsibilities...................................................... 14 4.1 Department managers..................................................................................................14 4.2 Employees....................................................................................................................14 Figures Figure 1: Organisation chart........................................................................................................... 9

1 Introduction

[Organization Name] treats the security of its personal data very seriously. One of the key attributes of an effective approach to data protection is a clear allocation of roles, each with defined responsibilities. Each of these roles needs to be allocated to specific individuals or groups within the organisation.

It is vital that everyone within the organisation understands the part they must play in keeping the personal data we hold and process about individuals safe. This document should be read in conjunction with others that set out how data protection is managed within [Organization Name], including:

• Data Protection Policy

• GDPR Competence Development Procedure

• Data Protection Impact Assessment Process

• Information Security Incident Response Procedure

• Personal Data Breach Notification Procedure

• Data Subject Request Procedure

By ensuring that roles and responsibilities are clearly defined we will be in a good position to prevent many data protection incidents affecting personal data from happening and to react effectively and appropriately if they do.

GDPR Roles and Responsibilities Version 1 Page 8 of 14 [Insert date]

2 Data protection roles

Within the data protection framework relevant to our compliance with the GDPR, the following major roles need to be defined and allocated:

• Data Controller

• Data Processor

• Information Security Manager

• Data Protection Officer

The specific responsibilities of each of these roles are set out in later sections of this document. There are also particular data protection responsibilities that must be carried out by existing internal roles within the organisation and these are also set out in summary within this document.

These roles are:

• Department Managers

• Employees

In general, responsibilities that apply to all employees, contractors and other interested parties are set out within the relevant organisational policies.

A subset of the organisation chart showing the relevant data protection roles is shown below:

GDPR Roles and Responsibilities Version 1 Page 9 of 14 [Insert date]
Figure 1: Organisation chart [Explain the main parts of the structure and any relevant information such as geographical location, upcoming changes, part-time positions etc.]

3 Specific role responsibilities

This section details the specific data protection responsibilities of each role within the [Organization Name] organisation structure. It does not include any other types of responsibility e.g. managerial, technical and should not be taken as a full job description. Competences necessary to fulfil each role are defined in the document GDPR Competence Development Procedure.

3.1 Data controller

The GDPR defines a “controller” as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Accordingly, the responsibilities described below may be assigned to an individual or may be taken to apply to the organisation as a whole.

The Data Controller has the following responsibilities:

• Ensure that the principles relating to processing of personal data described in Article 5 of the GDPR are adhered to and be able to demonstrate compliance with them. In summary, these are to ensure that personal data are:

o Processed lawfully, fairly and transparently

o Collected for specified, explicit and legitimate purposes

o Adequate, relevant and limited to what is necessary

o Accurate and, where necessary, kept up to date

o Kept in a form which permits identification of data subjects for no longer than is necessary

o Processed in a manner that ensures appropriate security

• Ensure that the consent of the data subject to processing of personal data is obtained where appropriate, including parental consent for children

• Provide all the information required under the GDPR to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language

• Facilitate the exercise of data subject rights under the GDPR and keep the data subject informed of the progress of their request

• Implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR

• Ensure that only processors who provide enough guarantees to implement appropriate technical and organisational measures to meet the GDPR and protect personal data, are used

• Maintain a record of processing activities related to personal data which fall under the controller’s responsibility

• Cooperate, on request, with the supervisory authority in the performance of its tasks

• Ensure that any person acting under the authority of the controller who has access to personal data does not process them except on instructions from the controller

GDPR Roles and Responsibilities Version 1 Page 10 of 14 [Insert date]

• Notify a personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, in accordance with organisational procedures

• Document any personal data breaches, including the facts relating to the personal data breach, its effects and the remedial action taken

• Where appropriate, communicate a personal data breach to the data subject without undue delay

• Carry out data protection impact assessments, where appropriate, in accordance with procedures

• Designate a data protection officer where required by the GDPR, publish their details and communicate them to the supervisory authority

• Support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge

• Transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available

3.2 Data processor

[Note: this role is only relevant if your organisation is acting as a processor on behalf of a controller].

The GDPR defines a “processor” as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Therefore, the responsibilities described below may be assigned to an individual or may be taken to apply to the organisation as a whole.

The Data Processor has the following responsibilities:

• Ensure that all processing of personal data is governed by a contract or other legal act that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller

• Process the personal data only on documented instructions from the controller, including regarding transfers of personal data to a third country or an international organisation

• Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data

• Obtain the prior specific or general written authorisation of the controller before engaging another processor

GDPR Roles and Responsibilities Version 1 Page 11 of 14 [Insert date]

• Assist the controller in the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights

• Delete or return all the personal data to the controller after the end of the provision of services relating to processing

• Make available to the controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller

• Maintain a record of all categories of processing activities carried out on behalf of a controller

• Cooperate, on request, with the supervisory authority in the performance of its tasks

• Ensure that any person acting under the authority of the processor who has access to personal data does not process them except on instructions from the controller

• Notify the controller without undue delay after becoming aware of a personal data breach

• Designate a data protection officer where required by the GDPR, publish their details and communicate them to the supervisory authority

• Support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge

3.3 Data protection officer

The Data Protection Officer is a required appointment in line with the EU General Data Protection Regulation and has specific responsibilities for the protection of the personal data of data subjects.

[Note: A Data Protection Officer is required in any case where:

1. The processing is carried out by a public authority or body, except for courts acting in their judicial capacity

2. The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or…

3. The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.]

GDPR Roles and Responsibilities Version 1 Page 12 of 14 [Insert date]

The Data Protection Officer has the following responsibilities:

• Inform and advise the data controller or the processor and the employees who carry out processing of their obligations under applicable data protection law

• Monitor compliance with data protection law and with the policies of the data controller or processor in relation to the protection of personal data

• Assignment of responsibilities, awareness-raising and training of staff involved in the processing of personal data, and the related audits

• Provide advice where requested regarding data protection impact assessments and monitor their performance

• Cooperate with all relevant supervisory authorities for data protection

• Act as the contact point for supervisory authorities on issues relating to personal data processing and to consult, where appropriate, regarding any other matter

3.4 Information security manager

The Information Security Manager is the primary role with a dedicated focus on information security and related issues.

The Information Security Manager has the following responsibilities:

• Reporting to management on all security related matters on a regular and ad-hoc basis when required

• Communicate the information security policy to all relevant interested parties where appropriate, including customers

• Implement the requirements of the information security policy

• Manage risks associated with access to the service or systems

• Ensure that security controls are in place and documented

• Quantify and monitor the types, volumes and impacts of security incidents and malfunctions

• Define improvement plans and targets for the financial year

• Monitor achievement against targets

• Identify and manage information security incidents according to a process

GDPR Roles and Responsibilities Version 1 Page 13 of 14 [Insert date]

4 Other roles with data protection responsibilities

There are several other internal roles within the organisation which, whilst not solely dedicated to data protection, have relevant responsibilities.

4.1 Department managers

Department Managers may be heads or supervisors of operational units within the organisation.

A Department Manager has the following responsibilities:

• Review and manage employee competencies and training needs to enable them to perform their role effectively within the data protection area

• Ensure that employees are aware of the relevance and importance of their activities and how they contribute to the achievement of data protection objectives

• Participate in, and contribute to, data protection impact assessments affecting their business area

4.2 Employees

The responsibilities of all employees are defined in a variety of organisation-wide policies and are only summarized in brief below.

An employee has the following main responsibilities:

• Ensure they are aware of and comply with all data protection policies of the organisation relevant to their business role

• Report any actual or potential security breaches

• Contribute to data protection impact assessment where required

GDPR Roles and Responsibilities Version 1 Page 14 of 14 [Insert date]

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.