GDPR Roles and Responsibilities
GDPR Toolkit Version 4 ©CertiKit
GDPR Roles and Responsibilities
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document The document sets out some of the main roles that may be involved in GDPR compliance, together with their relevant responsibilities.
Areas of the GDPR addressed The following areas of the GDPR are addressed by this document: Chapter IV – Controller and processor Section 4. – Data protection officer
General Guidance An organisation may be structured in many different ways, depending on size, geographical spread, technology, culture and whether customers are internal or external, amongst others. Because of this, you will need to tailor this document to reflect your own organisation’s structure and job roles. In a larger organisation, these roles will often be allocated to different people. In a smaller organisation, these responsibilities may need to be allocated to relatively few people. The roles required will depend on whether your organisation is a controller or processor or both and whether your processing meets the criteria for a data processing officer.
Review Frequency We would recommend this document is reviewed annually and upon significant changes to the organisation structure.
Toolkit Version Number GDPR Toolkit Version 4
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom Version 1
Page 1 of 14
[Insert date]
GDPR Roles and Responsibilities
document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from
Version 1
Page 2 of 14
[Insert date]
GDPR Roles and Responsibilities
which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 14
[Insert date]
GDPR Roles and Responsibilities
[Replace with your logo]
GDPR Roles and Responsibilities
Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 14
GDPR-DOC-02-1 1 [Insert date]
[Insert date]
GDPR Roles and Responsibilities
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 14
Date
[Insert date]
GDPR Roles and Responsibilities
Contents 1
INTRODUCTION ....................................................................................................................................... 7
2
DATA PROTECTION ROLES ................................................................................................................. 8
3
SPECIFIC ROLE RESPONSIBILITIES ................................................................................................. 9 3.1 3.2 3.3 3.4
4
DATA CONTROLLER .................................................................................................................................. 9 DATA PROCESSOR ................................................................................................................................... 10 DATA PROTECTION OFFICER ................................................................................................................... 12 INFORMATION SECURITY MANAGER ....................................................................................................... 13
OTHER ROLES WITH DATA PROTECTION RESPONSIBILITIES ............................................. 14 4.1 4.2
DEPARTMENT MANAGERS ...................................................................................................................... 14 EMPLOYEES ............................................................................................................................................ 14
List of Figures FIGURE 1 - ORGANISATION CHART ............................................................................................................................ 8
Version 1
Page 6 of 14
[Insert date]
GDPR Roles and Responsibilities
1 Introduction [Organization Name] treats the security of its personal data very seriously. One of the key attributes of an effective approach to data protection is a clear allocation of roles, each with defined responsibilities. Each of these roles needs to be allocated to specific individuals or groups within the organisation. It is vital that everyone within the organisation understands the part they must play in keeping the personal data we hold and process about individuals safe. This document should be read in conjunction with others that set out how data protection is managed within [Organization Name], including: • • • • • •
Data Protection Policy GDPR Competence Development Procedure Data Protection Impact Assessment Process Information Security Incident Response Procedure Personal Data Breach Notification Procedure Data Subject Request Procedure
By ensuring that roles and responsibilities are clearly defined we will be in a good position to prevent many data protection incidents affecting personal data from happening and to react effectively and appropriately if and when they do.
Version 1
Page 7 of 14
[Insert date]
GDPR Roles and Responsibilities
2 Data Protection Roles Within the data protection framework relevant to our compliance with the GDPR, the following major roles need to be defined and allocated: • • • •
Data Controller Data Processor Information Security Manager Data Protection Officer
The specific responsibilities of each of these roles are set out in later sections of this document. There are also particular data protection responsibilities that must be carried out by existing internal roles within the organisation and these are also set out in summary within this document. These roles are: • •
Department Managers Employees
In general, responsibilities that apply to all employees, contractors and other interested parties are set out within the relevant organisational policies. A subset of the organisation chart showing the relevant data protection roles is shown below.
Figure 1 - Organisation chart
[Explain the main parts of the structure and any relevant information such as geographical location, upcoming changes, part-time positions etc.]
Version 1
Page 8 of 14
[Insert date]
GDPR Roles and Responsibilities
3 Specific Role Responsibilities This section details the specific data protection responsibilities of each role within the [Organization Name] organisation structure. It does not include any other types of responsibility e.g. managerial, technical and should not be taken as a full job description. Competences necessary to fulfil each role are defined in the document GDPR Competence Development Procedure.
3.1
Data Controller
The GDPR defines a “controller” as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Accordingly, the responsibilities described below may be assigned to an individual or may be taken to apply to the organisation as a whole. The Data Controller has the following responsibilities: •
Ensure that the principles relating to processing of personal data described in Article 5 of the GDPR are adhered to and be able to demonstrate compliance with them. In summary, these are to ensure that personal data are: o o o o o
processed lawfully, fairly and transparently collected for specified, explicit and legitimate purposes adequate, relevant and limited to what is necessary accurate and, where necessary, kept up to date kept in a form which permits identification of data subjects for no longer than is necessary o processed in a manner that ensures appropriate security •
Ensure that the consent of the data subject to processing of personal data is obtained where appropriate, including parental consent for children
•
Provide all of the information required under the GDPR to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language
•
Facilitate the exercise of data subject rights under the GDPR and keep the data subject informed of the progress of their request
•
Implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR
•
Ensure that only processors who provide sufficient guarantees to implement appropriate technical and organisational measures to meet the GDPR and protect personal data, are used
Version 1
Page 9 of 14
[Insert date]
GDPR Roles and Responsibilities
3.2
•
Maintain a record of processing activities related to personal data which fall under the controller’s responsibility
•
Cooperate, on request, with the supervisory authority in the performance of its tasks
•
Ensure that any person acting under the authority of the controller who has access to personal data does not process them except on instructions from the controller
•
Notify a personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, in accordance with organisational procedures
•
Document any personal data breaches, including the facts relating to the personal data breach, its effects and the remedial action taken
•
Where appropriate, communicate a personal data breach to the data subject without undue delay
•
Carry out data protection impact assessments, where appropriate, in accordance with procedures
•
Designate a data protection officer where required by the GDPR, publish their details and communicate them to the supervisory authority
•
Support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge
•
Transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available
Data Processor
[Note: this role is only relevant if your organisation is acting as a processor on behalf of a controller]. The GDPR defines a “processor” as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Therefore, the responsibilities described below may be assigned to an individual or may be taken to apply to the organisation as a whole. The Data Processor has the following responsibilities:
Version 1
Page 10 of 14
[Insert date]
GDPR Roles and Responsibilities
•
Ensure that all processing of personal data is governed by a contract or other legal act that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller
•
Process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation
•
Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
•
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data
•
Obtain the prior specific or general written authorisation of the controller before engaging another processor
•
Assist the controller in the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights
•
Delete or return all the personal data to the controller after the end of the provision of services relating to processing
•
Make available to the controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller
•
Maintain a record of all categories of processing activities carried out on behalf of a controller
•
Cooperate, on request, with the supervisory authority in the performance of its tasks
•
Ensure that any person acting under the authority of the processor who has access to personal data does not process them except on instructions from the controller
•
Notify the controller without undue delay after becoming aware of a personal data breach
•
Designate a data protection officer where required by the GDPR, publish their details and communicate them to the supervisory authority
Version 1
Page 11 of 14
[Insert date]
GDPR Roles and Responsibilities
•
3.3
Support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge
Data Protection Officer
The Data Protection Officer is a required appointment in line with the EU General Data Protection Regulation and has specific responsibilities for the protection of the personal data of data subjects. [Note: A Data Protection Officer is required in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.] The Data Protection Officer has the following responsibilities: •
Inform and advise the data controller or the processor and the employees who carry out processing of their obligations under applicable data protection law
•
Monitor compliance with data protection law and with the policies of the data controller or processor in relation to the protection of personal data
•
Assignment of responsibilities, awareness-raising and training of staff involved in the processing of personal data, and the related audits
•
Provide advice where requested regarding assessments and monitor their performance
•
Cooperate with all relevant supervisory authorities for data protection
•
Act as the contact point for supervisory authorities on issues relating to personal data processing and to consult, where appropriate, with regard to any other matter
Version 1
Page 12 of 14
data
protection
impact
[Insert date]
GDPR Roles and Responsibilities
3.4
Information Security Manager
The Information Security Manager is the primary role with a dedicated focus on information security and related issues. The Information Security Manager has the following responsibilities: •
Reporting to management on all security related matters on a regular and adhoc basis when required
•
Communicate the information security policy to all relevant interested parties where appropriate, including customers
•
Implement the requirements of the information security policy
•
Manage risks associated with access to the service or systems
•
Ensure that security controls are in place and documented
•
Quantify and monitor the types, volumes and impacts of security incidents and malfunctions
•
Define improvement plans and targets for the financial year
•
Monitor achievement against targets
•
Identify and manage information security incidents according to a process
Version 1
Page 13 of 14
[Insert date]
GDPR Roles and Responsibilities
4 Other Roles with Data Protection Responsibilities There are a number of other internal roles within the organisation which, whilst not solely dedicated to data protection, have relevant responsibilities. 4.1
Department Managers
Department Managers may be heads or supervisors of operational units within the organisation. A Department Manager has the following responsibilities: •
Review and manage employee competencies and training needs to enable them to perform their role effectively within the data protection area
•
Ensure that employees are aware of the relevance and importance of their activities and how they contribute to the achievement of data protection objectives
•
Participate in, and contribute to, data protection impact assessments affecting their business area
4.2
Employees
The responsibilities of all employees are defined in a variety of organisation-wide policies and are only summarized in brief below. An employee has the following main responsibilities: •
Ensure they are aware of and comply with all data protection policies of the organisation relevant to their business role
•
Report any actual or potential security breaches
•
Contribute to data protection impact assessment where required
Version 1
Page 14 of 14
[Insert date]