The EU General Data Protection Regulation (GDPR) is getting ever closer – it will be here with us in May 2018 – and yet the question over who is responsible for it in an individual business or organisation remains a big one.
The truth is that with GDPR fast approaching, many people are still unsure where the responsibility will lie for complying with the regulation.
Should we be looking to the chief executive or business owner? Should it be a board issue? An IT issue? A department manager issue? Or should every person in the business take some responsibility?
One of the stipulations of GDPR is that larger companies will need to appoint a Data Protection Officer and that is an obvious starting point. But many businesses still see it as an IT issue when in fact it is a company-wide or board issue.
Designing information management systems
Information management systems need to be specifically designed to comply with GDPR and to ensure the business is compliant in all areas, including data protection. A requirement for ‘privacy by design’ when handling the personal data of EU citizens is a cornerstone of the regulation.
Staff training between now and May when the regulation comes into force is vital too, especially around the prevention of data breaches. So it simply isn’t possible to say that only IT needs to worry about the regulation’s implementation.
But has that message really got through? below are statistics from a recent Crown Records Management Survey of IT decision makers at UK companies.
When asked ‘Who is responsible for data protection in your company?’ the response was mixed:
- The CIO/head of IT: 64%
- The Data Protection Officer: 48%
- The CEO: 37%
- The Chief Information Security Officer: 24%
- All staff: 9%
The fact that so many different answers were given is a possible concern. It is vital that boards understand that an understanding of GDPR and what it means should run through the business.