I’ve recently been nominated as our company’s Data Protection Officer (DPO). While slightly daunted it does make sense because, as the company’s Operations Manager, I should have a keen awareness of the personal information that we hold. While I’d like to think that we’ve always taken data privacy seriously, the new regulations which come into force on 25 May have really upped the ante. It’s no longer enough to park Data Protection well behind the exigencies of the day job and worry about it as and when there’s a suggestion of breach. It has to be an integral part of all that we do.
If you’re a fellow DPO or suspect that your appointment as one is pending, your immediate thought might reasonably be “I can do without all of this additional work and responsibility.” You’ve probably seen publicity material suggesting there’s loads of work to do which numerous companies can help you with. There also seems to have been a lot of focus on swingeing fines. I personally take heart from the Information Commissioners Office’s own releases which have:
- highlighted that many of the “new” requirements are already in the existing legislation
- stressed that they’re not chomping at the bit to fine companies
As a company that works closely with schools, drb Schools & Academies Services fulfils both categorisations in the regulations. We control the personal data of our staff while we process personal data (e.g. staffing forecasts and spreadsheets) on behalf of the schools and academies that we work with.
As a nominated DPO you first of all need to fully understand what personal information you hold and document this. I’m part way through this process. When completed, I intend to write to each staff member/School Business Manager to give them the assurance that we’re aware of the new GDPR requirements and that our privacy arrangements comply with the required standard . Obviously, if you identify any issues at this early stage then tackle them. If there is any potential for a breach then take steps now to ensure the potential for this is minimised/eradicated.
As the DPO you’re not going to be able to ensure compliance on your own. You have to make sure that your team supports you in making sure that data privacy remains a priority going forward. I have insisted that it be added to agendas for all meetings within the company. I have also ensured that it is a standing item for all staff training sessions. I’m sure that there will be mutterings that I’m becoming a Data Privacy Bore but I think that’s part of the DPO role – share the understanding of and responsibility for this important legislation widely.
I’m a long way from being an expert on GDPR but am determined that our company retains a strong reputation for data security after 25 May. I will post follow-up blogs on my progress and, in the meantime, if anyone wants to contact me to “compare notes” by all means drop me a line at firstname.lastname@example.org. Good luck to my fellow DPO’s