Published on Jul 22, 2021
In our most recent articles, we discussed what the General Data Protection Regulations (GDPR) is, who it applies to, its principles, the rights it provides to data subjects, and the legal basis for processing personal data. We also looked at how the GDPR affects businesses. In this third part of our series, we will examine elements of leadership and oversight that are essential for GDPR compliance, including organisational structure, appointing a DPO, and budget setting.
Leadership and oversight provide the foundation for accountability. Data protection and privacy-related compliance require organisations to allocate staff to certain tasks. Although not all organisations require a DPO, everyone who processes personal data must allocate sufficient resources to ensure the GDPR principles are met. Responsibility must not simply fall on the DPO, or the privacy lead; senior management and the board must take an active role.
Whether you're a startup business establishing initial compliance processes or an established organisation looking to enhance its privacy and data protection programme in order to take advantage of the opportunities provided by optimal compliance, the following needs to be carefully considered:
Read on to discover how these questions can be answered in practice.
Businesses are having to invest more in privacy compliance because the GDPR requires that privacy and data protection by design is embedded throughout an organisation. Increasingly, however, evidence is showing how effective privacy practices provide tangible and intangible benefits to commercial entities.
As we mentioned in our recent article discussing how the GDPR affects businesses, a 2021 study illustrated that those organisations with well-established privacy practices reap higher commercial benefits than average and can swiftly adapt to domestic and international regulatory changes. Furthermore, 35% of companies reported they generated benefits at least two times greater than their investment in privacy and data protection compliance.
A robust strategy is essential to creating privacy policies and procedures that will ensure your organisation can reap the recognised benefits. Determining the right organisational structure is vital to ensure “strong leadership, clear reporting lines and responsibilities, and effective information flows”. The Information Commissioner’s Office (ICO) states that to meet its expectations, organisational structure concerning privacy compliance should:
You must also consider other matters such as where the GDPR compliance programme will sit within your business. All organisations are unique so there are no right or wrong decisions. SMEs may require a less complex setup than a large, multinational organisation but this does not mean that the decision-making process shouldn’t be carefully considered and documented.
The IAPP 2020 Annual Governance Report provides an insight as to where privacy compliance programmes sit within the organisation. In over half (54%) of cases, the legal department takes responsibility.
Finally, you will need to establish who the DPO (or compliance lead if you do not have a DPO) will report to in the organisation. Article 38(3) of the GDPR requires that the DPO exercises its functions independently and that they “shall directly report to the highest management level,” The ICO provides information on DPO reporting lines and this matter is also discussed in detail in the role of the DPO resource.
One of the first decisions you will need to make is whether your organisation requires or should appoint a DPO. Article 37 of the GDPR sets out the criteria for appointing a DPO and specifies that public authorities or bodies that process personal data within the UK or the EU/EEA must appoint a DPO. Businesses are required to appoint a DPO when their core activities involve large-scale regular or systematic processing of personal data, and or more sensitive special category data concerning UK and/or EU/EEA citizens. However, even if it is not mandatory for your business to have a DPO, you should undertake a review to assess whether one should be appointed voluntarily.
Article 38 outlines the obligations of the controller and processor which must be considered when selecting a management team to perform the tasks referred to under Article 39. One of the obligations referred to includes:
"providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge."
Whoever is included on the privacy and data protection compliance management team needs the time, contacts, and understanding required to ensure appropriate resources such as ongoing training and access to privacy journals are available.
The tasks of the DPO are set out under Article 39, which states:
The data protection officer shall have at least the following tasks:
To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this regulation and to other domestic law relating to data protection;
To monitor compliance with this Regulation, with other domestic law relating to data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
To cooperate with the Commissioner;
To act as the contact point for the Commissioner on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
To achieve these tasks, the DPO must be involved at every stage of data protection and privacy compliance, including any Data Protection Risk Assessments undertaken by your business.
Working alongside a DPO or privacy lead is a team required to oversee the practical implementation of data protection matters, such as handling Data Subject Rights requests, ensuring existing policies and procedures are compliant and fit for purpose, and providing internal communications and training. The average headcount in a compliance team is 15 full-time employees and 18 part-time staff members.
At the very least, your management team should include representation from the Legal, HR, Sales & Marketing, IT, and Information Security departments. Furthermore, the operational oversight group, privacy lead, DPO and CISO should meet regularly to discuss GDPR compliance issues.
There are several factors to consider when setting a GDPR compliance budget. Although every business is different, the following considerations are common to all:
Compliance costs are ongoing and new technologies are developing all the time to make compliance easier and more effective, according to the IAPP 2020 Annual Governance Report. Across the board, the 2020 average privacy and data protection compliance budget was £478,000 ($676,000). The report details average spending at a more granular level:
Interestingly, the report provides granular details about how privacy budgets are being spent:
Organisational structure, management selection, and budget setting are interlinked and all three must be completed concurrently if the benefits of privacy and data protection compliance are to be achieved.
When it comes to appointing a DPO or privacy lead, they must possess legal knowledge of the GDPR and have the skills to oversee and measure a complex compliance programme that is aligned across the entire business. The BCS Practitioner Certificate and IAPP CIPP/E and CIPM Certified Training Courses provide all the knowledge and skills necessary to be a DPO (or privacy lead) in the UK.
In our next article, we will address the readiness assessment and implementation of a GDPR compliance programme.
COVID-19: FLEXIBLE, LIVE ONLINE BCS & IAPP TRAINING NOW AVAILABLE - PLEASE CONTACT FOR DETAILS