Personal data in Business

Data protection structure in a company

It is important to create a good data protection structure in a company in order to be able to comply with all the rules of GDPR. In addition, the work becomes more efficient for all employees in the company, the better the structure around data protection is within the business. Therefore, it is important to ensure a good data protection structure in a company.

The starting point for creating a good data protection structure in accordance with the GDPR

There are several ways to create a good data protection structure in a company. However, the starting point should always be to adapt the data protection structure to the entire business. In other words, it is not always necessary to change the entire corporate structure itself, in order to adapt it to GDPR.

For example, the head of customer service may also be an appropriate data protection ambassador, by being given additional training in GDPR on issues relevant to the customer service department. In other words, the company should build on the support functions and structures that already exist and make the necessary additions or adjustments.

Decentralised decision-making on GDPR issues

By decentralising decision-making on GDPR issues, the company can work more efficiently. For example, by empowering data protection ambassadors to make certain minor decisions, instead of having to turn to the management or board, as it can be time-consuming and sometimes inefficient.

Establishing governance documents for decentralised decision-making

In order to have a good decentralised decision-making system, the company should establish clear governance documents, provide appropriate training and create a good data protection culture. Other employees may also be given the power to make certain decisions themselves, in order to make their work more efficient. For example, a customer service worker may be given the right to erase personal data at the request of a data subject.

Establish necessary GDPR-related agreements and documents

In order to streamline the work with GDPR as much as possible and comply with the regulation, it is good to draw up written contract templates, routines, response templates, checklists, summaries and other relevant supporting documents for the employees. In this way, employees become aware of, for example, how to act in the event of a personal data breach, what to answer if a data subject requests to have their rights fulfilled, or similar.

Provide appropriate training to employees

It is all employees at the company, regardless of their role and duties, who in practice come into contact with personal data in connection with the performance of their duties. Therefore, all employees need to comply with the rules of the GDPR, not just the company management. For this reason, it is good to provide training to staff regarding GDPR and the correct processing of personal data. However, it is not necessary for all employees to know all the rules of the GDPR. Instead, it is more important to provide employees with appropriate training on GDPR in matters related to their specific tasks and areas of work.

It is good to get feedback from employees

Since employees at all levels of the company usually process personal data in their work, it is good to receive feedback from them as part of the company’s improvement work. Employees often have good insight into the practicalities that affect their tasks and therefore they can have very good knowledge of improvement opportunities.

Check access permissions

It is rarely necessary for all employees to have access to all the personal data that the company processes. According to the principle of data minimisation, personal data should be exposed as little as possible, including within a company. Only those employees who need the personal data to perform their duties should have access to it. Therefore, it is good to have appropriate IT solutions for allocating and controlling access permissions.

It is important to have a good data protection culture in the company

Creating a good data protection culture means that the company creates norms and values among its employees, which are consistent with GDPR and data protection principles. It is something that develops over time and is more important the bigger the company is.

Example:

Create a habit among employees to always double check the specified recipient before sending an email.
Create a culture where no employee is ashamed to ask their colleagues for help on GDPR or other issues.

Creating a data protection structure - The bigger the company, the more important it is

The larger the company, the more important it is to create a good data protection structure so as not to violate GDPR. In addition, the requirements are usually higher for larger companies. For example, a large company may need to implement an individual for each role listed in the description below, while a smaller company may provide an individual with tasks within multiple roles.

Example of a data protection structure within a larger company

Top Management and Board of Directors

The top management and the board of directors of the company have the ultimate responsibility for the management of the business and to ensure that the company complies with the GDPR.

In order for employees to be able to follow the rules of GDPR in their work, the top management and the board need to create a good data protection culture.
The top management and the board of directors shall ensure that employees receive appropriate training and instructions on how to conduct their work in accordance with the GDPR.

Data Protection Committee

It is positive to set up a data protection committee within the business, with at least one person from each group. In other words, one person from the top management, one person of the support staff, the data protection officer and data protection ambassadors.
The data protection committee controls and makes day-to-day strategic decisions based on the needs of the company. In addition, they follow up on the measures.

Data protection support

It is usually, for example, a person from the legal department of a company who works in the role of data protection support. Data protection support is tasked with guiding and providing support, answering questions and the like, to the various departments within the company.
Data protection support is also usually the contact point for the supervisory authority, if the company does not have a data protection officer.

Data Protection Ambassadors

- Data protection ambassadors are coordinators who are contact points within the company.
- If a large company has several departments, it may be useful to appoint a data protection ambassador per diversion. For example, one for customer service, one for sales, inventory management, etc.
- Employees should be able to turn to the data protection ambassadors for any questions about GDPR. The same applies if the management or board of directors wants to change something in the data protection work, so it is the data protection ambassadors who enforce the measures.

Data Protection Officer

The data protection officer shall, among other things:

Check that the company complies with GDPR.
Be available to both employees and external data subjects, such as customers, for questions regarding the processing of their personal data.
Carry out appropriate training and awareness-raising activities within the company.
Registered with the national data protection authority.
Provide input to the company when conducting impact assessments.

Other members of the staff

It is employees within the company who in practice work with handling personal data. Therefore, it is important to create good conditions for them, so that they can do so in accordance with the GDPR. If they violate the GDPR, it is the company that is responsible for any consequences, and not the employee personally.