With the increased necessity to adhere with the European Union’s General Data Protection Regulation, since its introduction in May 2018, came a number of new roles that are vital for companies and organisation to delegate to avoid being in breach of the legislation and the resulting financial sanctions that may be sanctioned.
There are four main roles that have been laid out by GDPR legislation
The controller, or data controller is the person or entity in a firm or group who decides why data needs to be processed and how it will be managed. There may be more than one data controller or joint data controllers. In other words; a company that has a large headquarters and other regional offices may see policies adapted taken at local and global levels in relation to how data will be processed.
The controller will be the person responsible for all decisions taken linked to the management and processing of personal data. Should a GDPR breach take place, the controllers will be the point of contact for the local Supervisory Authority.
GDPR legislation defines a Data Processor as the person or entity that processes personal data for the stated controller. A data processing agreement must be completed between the processor and controller in order for the processor to start managing and processing personal data.
In most cases this will be a third party body. The processor oversees all aspects of the data processing agreement are in place so that GDPR is not being breached and personal data is always maintained in safe conditions.
Data Protection Officer (DPO)
On a legal basis, the Data Protection Officer must be appointed to comply with GDPR. The DPO will overlook all aspects of personal data management, security strategy within an entity.
This role does not have to be an external hire. An existing member of staff may be appointed to the position and take over the responsibilities of the role. Typically, large firms will designate a dedicated DPO while smaller companies, with lower budgets, will give the tasks to an existing member of staff.
The DPO is responsible for ensuring that all elements of the GDPR legislation are being adhered to in an organization. They will also be charged with ensuring that other members of staff are trained and aware of GDPR rules.
Companies based external to the EU must appoint a GDPR Representative to act for them in the EU and ensure GDPR compliance is in place. This position will be the point of contact with the EU.