Who Is Responsible for GDPR Compliance at Your Company?

The General Data Protection Regulation (GDPR) was introduced in 2016 and officially implemented on May 25, 2018. It was ideal timing given that the increased use of the internet meant that organizations began collecting more consumer data than ever before. The GDPR protects EU citizens’ personal information, giving consumers the right to be forgotten under certain circumstances. The law also holds companies accountable to justify their need for collecting and storing data. 

Part of ensuring GDPR compliance is having an understanding of who in your company is required to enforce the GDPR and what their key roles and responsibilities are — including the DPO requirement, knowing the difference between a controller vs. processor, and what a supervisory authority is. We recommend reviewing the GDPR requirements if you have any questions about the law and how to maintain compliance. Below are four roles that are responsible to help your organization meet GDPR guidelines. 

4 Types of Personnel Responsible for GDPR Compliance 

Understanding the GDPR’s Data Protection Officer (DPO) Requirement

The Data Protection Officer (DPO) is a leadership role required by the EU GDPR and exists in companies that process the personal data of EU companies. The DPO is responsible for overseeing the data protection strategy, approach and implementation of their organization. 

In addition to holding the highest responsibility in ensuring GDPR compliance, DPOs are also charged with advising employees on the right measures to ensure the protection of personal data, which is critical because employees have equally important roles to play in data privacy. A current employee is able to be assigned the role of DPO to fulfil the DPO requirement, but your organization can also seek outside counsel and contract a specialized officer to fill the position. 

GDPR Controller vs Processor

Let’s compare the controller vs processor roles. A data controller is a person or legal entity that decides the means of processing personal data. Their key responsibility is to be accountable for the GDPR, while being able to explain how compliance is maintained to data subjects and the Supervisory Authority when needed. A data controller is not always a single entity. Sometimes, a joint controllership will exist, especially when companies handle data internationally. The business may have a central controller and regional controllers.

A data processor is an individual or legal entity that processes personal data on behalf of the controller. Sometimes, processors are referred to as a “third party.” Their key responsibility is to verify that the conditions specified in the Data Processing Agreement signed by the controller are met and that GDPR compliance is constantly being maintained. 

Supervisory Authority

A supervisory authority (SA) is a public authority in an EU country responsible for monitoring the compliance of GDPR. A SA is also sometimes referred to as a Privacy Commissioner or Data Protection Authority. 

The SA’s main responsibility is to advise companies about GDPR, address complaints from data subjects, conduct audits, and issue fines when companies do not comply. There is an SA appointed for each EU member state.

Use Ground Labs to Get Started with GDPR Compliance

Keep in mind that DPOs are not called for based on the size of an organization, but instead the type and scope of data collected and used by an organization. DPOs should not have to manually scan for data themselves. It would be time consuming, inefficient and resource heavy. Many DPOs trust Ground Labs’ Enterprise Recon technology to scan and mitigate compliance concerns on an ongoing basis, enabling their organization to reach the highest level of GDPR compliance and ongoing security possible. 

If you are ready to learn more about how Ground Labs can help your business meet GDPR compliance, schedule an appointment with an expert now.