Photo by You X Ventures.
All organisations have a duty, via their DPO or Privacy Manager to ensure that all folk within their organisation are aware of their accountabilities and responsibilities.
“The duties of a Data Protection Officer include: Working towards the compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments, increasing employee awareness for data protection and training them accordingly,….”
Again the GDPR is fuzzy. What does ‘accordingly’ mean? The Cambridge Dictionary says this, “in a way that is suitable or right for the situation”. Their underlines not mine!
So the overall situation is GDPR compliance, but the sub-situation (if this is even a word) is the role of the person who is part of the organisation striving to be GDPR compliant.
We get asked, "Who should we train and what on?" Well there is 'everyone'. All folk in your organisation should be made aware of GDPR and their responsibilities to ensure that the company is compliant and there are, of course, some obvious roles. DPO or Privacy Manager, and the Business Process Owners.......but who else? Well, as examples, we see two further obvious roles that need training.
Firstly, the procurement folk, anyone that is contracting with a third party. They need to be trained on how to recognise whether a special contracting relationship is needed with a third party, ie over and above their standard Ts and Cs. For example asking themselves, “Is this supplier processing personal data?” If this is affirmative then thinking through the type of contracting that is needed, perhaps just a DPA (data processing agreement), but you may be a joint controller with this supplier, then perhaps a data sharing agreement. Also where is this data being processed, in the EEA or outside, what transfer agreements are needed? Once that has been established then what tools to use in your company’s toolbox, eg templates etc and ensure that you undertake compliant contracting.
Secondly we encourage specific training for managers who have process owners in their organisation. Why? Well managers need to ensure that process owners monitor their processes and ensure that they remain compliant, essentially process custodianship, reviewed at least once a year for change. Then managers must ensure that if process owners go on holiday or are long term ill or leave the organisation and that there is an alternate available to act on potential DSAR requests, for example/
So review the roles in your organisation and ensure that you put in place the correct training and that you record that it has happened.