The General Data Protection Regulation (GDPR) is coming into effect in May 2018, giving companies less than 6 months to achieve full compliance. Many firms in Europe are concerned about the regulation, which imposes hefty fines and severe penalties in the event of non-compliance or breach of data (4 per cent of the annual world turnover of the whole group or Eur 20 m whichever is greater).
There is a huge amount of confusion around GDPR at the moment. GDPR not only requires companies to mitigate data protection risk and implement a well-built data protection infrastructure but also to review and update their technical and organisational measures to protect personal data. There are many question marks which will be answered only by practice of the new law and the attitude of local regulators. Firms need to document all the processes they have in place to become compliant, as this will help them if any future cases regarding GDPR are raised by the Data Protection Authority in their jurisdiction or if a case comes before the courts. Until cases do arise in the European Court of Justice or under jurisdiction of local regulatory bodies, much of GDPR will be down to interpretation.
One particular area of confusion which needs to be answered before May 2018 is around who (within the organisational structure of the company) bears responsibility for issues related to the GDPR regulation and implementation of GDPR requirements. In other words, who should manage GDPR internally?
Some believe that the responsibility for data protection compliance and implementation of the GDPR should be taken by the Chief Compliance Officer (CCO) or Chief Data Officer (CDO) or the Chief Information Officer (CIO). Others point out that compliance efforts need to go right to the CEO and board as ultimately accountable and responsible for compliance.
Accountability is at the heart of the updated data protection regulation, which replaces the 1995 Data Protection Directive. So, who in the business should take responsibility for managing GDPR?
Experts say that everybody in the company is responsible as their common obligation is to ensure the security and confidentiality of critical personal data. Therefore, a company’s senior employees – CEO, the data protection officer (DPO), chief data officer (CDO), CIO, – all must work together to ensure a smooth path to achieving compliance and avoid severe consequences.
Contrary to what many people believe, implementing GDPR is a massive task. One of the common mistakes people do is not understanding the size of the problem. Like with any other major assignment, someone needs to lead the project. Strong leadership is important in order to provide smooth cooperation across departments. It does not really matter who leads the programme as long as someone is in charge.
GDPR compliance efforts need to go right to the top of the company: firms cannot be fully compliant without board involvement. After all, eventually it is the board who is accountable for everything.
Given the unpredictability of the GDPR rules and the high fines for non-compliance, the best piece of advice is that businesses should build a cross-functional leadership team comprising senior representatives from all business areas, including marketing, customer service and procurement.
Once someone has been chosen to lead the GDPR project, and the entire business is on board, training of the personnel and education must also be carefully planned. Training should be tailored to the type of department. There isn’t one-size-fits-all solution.
Across the entire business, everyone needs to be aware of their responsibilities and the consequences of their actions. Companies need to make sure all members of staff are aware.
Back to list
February 04, 2019
The Act on Criminal Liability of Companies is being processed by the Polish Parliament. The new law can be passed even in March. The companies...Read more
January 31, 2019
2018 has been an important year for us. It has been abundant with International Bar Association activities and recognitions, which in turn has...Read more
January 08, 2019
Last month, I was asked to speak at the conference in Moscow at the Law Firm Management Committee of the International Bar Association. My task...Read more