Since its acceptance in April of 2016, GDPR (General Data Protection Regulation) has been looming over the heads of organizations with the clock ticking towards May 2018; the time when penalties start coming into effect. When an organization is faced with a change in regulation that they may not completely understand or will require them to make proactive changes, the tendency is to throw up hands and say “not my problem.” Who is responsible in your organization for GDPR compliance? The short answer is, everyone.
Almost every department in an organization will be affected by these new regulations but if you begin preparing employees for these changes as soon as possible, fines and repercussions needn’t be worried about. These departments in particular will see the most changes.
HR/L&D –HR will need to ensure that their processes for incoming and exiting employees are up to standards for GDPR. This includes clearly defining the regulations and management of data for new employees and for exiting employees, making certain that any internal data doesn’t walk out of the door with them. Additionally, for current employees, any information regarding health care, pensions, or taxes needs to be done in a secure fashion. Lastly, larger organizations will need to hire a DPO, or Data Protection Officer. This role will serve as the point of contact between your organization and any Supervisory Authorities. Those organizations that are smaller may be able to elect an existing member to carry out these responsibilities. Any department tasked with Learning and Development should update training material to include what to do in case of data loss for both new and current employees.
Procurement-Employees in the procurement department will need to ensure that any partners or third parties adhere to the same rules and regulation regarding GDPR that your organization does. Additionally, they must be informed of any data protection standards that you follow and, like your own employees, what to do if they have a loss of data.
Legal– Those in the legal department will need to affirm that all contracts with customers, partners, and third parties are up to date on all new regulations.
Marketing/Sales– Marketing and Sales must be sure that only customers that have positively opted in to receive mail are involved in campaigns. Additionally, any terms and conditions that customers will be need to accept or decline should be in layman’s terms and understandable. Filling T&Cs with legal jargon indistinguishable by customers will no longer be allowed.
Security– This applies to both physical as well as virtual data in the office. Organizations need to ensure that their physical data is handled with as much care as what is online and be sure that any files in an office are sufficiently secured.
In the end, everyone is responsible for the changes regarding GDPR due to the high level of consequences. However, there should be a leader guiding this cross departmental project. Whether the CIO, CISO, or CMO, management should lead the initiative of responsibility for GDPR changes within the organization.
Need assistance in preparing for GDPR? Let us help! Email us at firstname.lastname@example.org