Professional Roles in Personal Data Rights Management
The General Data Protection Regulation was introduced on May 25, 2018 and brought with it and the legal obligation on companies and organizations to comply with the data protection legislation.
This legislation also introduced a range of new professional positions created to help with GDPR compliance. These positions must be delegated if entities wish to avoid being in breach of the legislation and the applicable financial sanctions that may be applied.
There are four professional positions that have been classified by GDPR legislation.
Data Protection Officer (DPO)
A Data Protection Officer must be selected for GDPR compliance to be in place. This DPO will manage every aspect of personal data management and security strategy in an organization.
In order to fill this role an external or existing member of staff should be selected to take over the responsibilities of the role. In most cases companies will appoint a dedicated DPO while smaller companies, with less money to spend, will assign the tasks to a current member of staff.
The DPO must see to it that all parts of the GDPR legislation are being complied with in an entity. They will also take charge of ensuring that other members of staff are trained and knowledgeable in relation to GDPR.
Non-European Union based companies must designate a GDPR Representative to act for them in the EU and ensure their compliance with GDPR. This individual will be the point of contact with the EU in relation to the personal data management of EU citizens.
The controller, or data controller is the individual or entity in a company or organization who decides why data should be processed and how it should be processed. There may be more than one data controller or join data controllers in place. In other words. a company that has a large headquarters and a number of other regional offices may see decisions adapted at local and global levels in relation to how data will be managed.
The controller is the point of contact that will be responsible for implementing all decisions taken in relation to the processing and maintenance of personal data. If a GDPR breach happens, the data controller will be answerable to the relevant local Supervisory Authority.
A Data Processor is a person or group that manages personal data on behalf of the stated controller. A data processing agreement must be completed between the processor and controller prior to the processing data to beginning.
The data processor is, in most cases, a third party body and is responsible for overseeing all aspects of the data processing agreement. Doing so will see to it that GDPR is not being breached and personal data is always kept in secure conditions.