Learn about GDPR
The board and management are responsible for GDPR compliance
The board and management are responsible for GDPR compliance and should be involved in the GDPR work. The board has the ultimate responsibility, strategically and legally. The management is operationally responsible for the implementation in practice.
Prioritise data protection work
A fundamental issue that the board and management should take into account in their work is ‘What is the purpose of this?’ There are several advantages to prioritising data protection work, and these should be communicated internally.
In order to create the best possible conditions for everyone within a company to be able to comply with GDPR, it is important that the board and management signal that they prioritize data protection work.
Positive to clarify data protection work
It is good to create value for the data subjects, both internally (employees and consultants) and externally (customers, contact persons, etc.). Taking care to implement adequate technical and organisational security measures to protect the personal data of data subjects is a positive thing for them. In addition, it is good to clarify this for the data subjects, as it can lead to them appreciating the company even more.
Working agile with GDPR
It is positive to start with an agile way of working instead of traditional goal management in the internal GDPR work. An agile way of working is about setting up a vision and working together towards it in stages or cycles. After each stage, the opportunity for improvement and change is given. GDPR work is something continuous and therefore it is good to adapt the way of working after being able to easily make changes if necessary.
Data subjects gain more and more knowledge about the GDPR
It is good to keep in mind that more and more data subjects, whether they are customers, partners or employees, know their rights and what obligations companies have when processing personal data. This entails, among other things, a greater risk of a notification to the national data protection authority if the company does not comply with all the rules of the GDPR. In addition, data subjects who are familiar with these rules often have a higher expectation that the company will comply with the GDPR and process the personal data of others as if it were their own.
Do data protection officers need to report to management and the board?
Yes, the data protection officer shall report to the management and board of directors in accordance with the rules laid down in Article 39 of the GDPR. In other words, report to the highest and second highest level of management within the organization. The board of directors and the management are responsible for GDPR compliance. Please note that not all companies need to appoint a data protection officer in accordance with Article 37 GDPR.
Principle of data protection by design
All companies, regardless of their size, must have data protection by design and by default in accordance with Article 25 GDPR. In other words, customize their product, service or system so that they are data protection friendly from the start. The board and management are responsible for GDPR compliance and need to keep this in mind when developing their products, services and systems. By keeping this rule in mind in their strategic work, management and board can reduce the burden of internal GDPR work.
A practical example
Withdrawal of consent should be as easy as giving consent. This means that it should be easy for the data subject to find out how to withdraw consent.
The bigger the company, the more work
The larger a company is, the more internal data protection work is usually required. In addition, it is more important to create a strong data protection structure and culture, the larger the company is. Good data protection work is run by the board and management. Larger companies usually also need to have more GDPR-related agreements and documents than smaller companies.
The board and management are responsible for GDPR compliance and should receive relevant training
The board and management should have knowledge of GDPR because it is difficult to set up a strategy to comply with a regulatory framework that they do not understand. Therefore, it may be useful to organise some kind of training for the members of the board and management. The board and management are responsible for GDPR compliance in the organization.
GDPR training for other employees
In addition, it is important to educate all the other employees about the GDPR and the correct processing of personal data. They are the ones who process the most personal data in their work tasks. Some employees may have specific roles in data protection work, such as being part of a data protection committee, being data protection support or a data protection ambassador. These individuals should also receive relevant training in GDPR based on their duties, which is good for the board and management to have in mind.
Companies that violate GDPR can have major consequences
Management and the board of directors have as their main task to work for the good of the company. The fact that the company violates the GDPR is not in the company’s interest. The financial consequences can be devastating for the company. In addition, violations of the GDPR can lead to a negative impact on the brand. In the worst case, breaches of the GDPR can result in fines of up to €20 million or 4% of global annual turnover (the highest of the options).
Learn more
Appoint a data protection committee in a larger company
In a larger company, it is a good idea to appoint a data protection committee. It usually consists of one person from each department of the company, such as sales, production, technology, customer service, law, marketing, etc. The people often have different experience and knowledge of the GDPR, and it is good to share the information within the organization. A data protection committee should have regular meetings where they discuss the internal GDPR work. In some cases, they may also make less strategic decisions regarding data protection work.