GDPR
Data Protection Committee in companies
Larger companies should create a data protection committee to streamline and improve their internal data protection work. In other words, create a body that has decision-making mandates and consists of people who work with the various functions within the company where personal data is processed.
What does a data protection committee do in companies?
A data protection committee in companies does the following, among other things:
- It is a decision-making and control body.
- Makes some strategic decisions regarding the internal data protection work.
- Follows up on various actions that the company is taking or intends to take.
Good to have one person from each department of a data protection committee
In a larger company, it is common to have different departments, such as marketing, customer service, sales, law, product development, etc. The different departments usually process personal data in their work. Thus, they have different perspectives on, for example, how valuable personal data is, when personal data should be erased and how the collection takes place. In addition, they can receive direct feedback from data subjects, which can be very valuable to share internally.
Therefore, it is a good idea to create a data protection committee in a larger company that includes at least one person from each department, such as the head of department. In addition, it is good if someone from the management is part of the company’s data protection committee, such as the CEO.
Strategic issues in data protection work
The most general strategic issues are usually dealt with by the management or the board of directors. However, a data protection committee may take decisions of a strategic nature that are not excessive.
If the data protection committee disagrees on important strategic issues
There may be situations where a data protection committee does not agree on, for example, certain strategic issues. In such cases, it is good to involve senior management, who may be better placed to make certain larger decisions with higher risk, as it is their responsibility in the end.
Have regular meetings
A data protection committee should have regular meetings to discuss various issues regarding the internal data protection work and GDPR compliance in the organisation. It is positive to have regular fixed times for such meetings. For example, monthly or quarterly. After that, it is good if the data protection committee has at least one meeting with the management and the board per year, to update them on the internal data protection work.
Ensure that the data protection committee receives appropriate training within the GDPR
It is good to provide appropriate training to the members of the data protection committee. In addition, it may be appropriate for them to receive more individual training that suits their duties in, for example, the department in which they work. Since they usually have a different role in the company as well, it is not always necessary that they receive too in-depth training on GDPR, as it can take too much time. Instead, data protection support should be provided, which usually works with the internal GDPR work within the organization on a full-time basis.
Learn more
Data protection support
Data protection support is often the spider in the web when it comes to the work on data protection and GDPR in the company. It can be a lawyer, but it doesn’t have to be. Often, this work role involves only one task, which is to work with questions relating to the GDPR. This is different from data protection ambassadors, the people in the data protection committee and the management who usually have it as part of their other work. Data protection support can appoint data protection ambassadors in order to improve the efficiency of data protection work, as it will be easier to get relevant information to employees.