Part of the new European General Data Protection Regulation (GDPR) includes definitions of different roles and their responsibilities. Before starting to understand GDPR requirements, or starting to implement GDPR, it is important to understand the key roles. In this article, I will share an overview of key GDPR roles and responsibilities.
- Data Protection Officer (DPO)
- Supervisory Authority
The controller is the natural person or legal entity that determines the purposes and means of the processing of personal data (e.g., when processing an employee’s personal data, the employer is considered to be the controller). It is possible to have joint data controllers in certain circumstances. For example, when a company operates in multiple countries, but decisions on processing purposes are being made both by central and local entities, the scenario would qualify as a joint controller.
The key responsibility of a controller is to be accountable, i.e., to take actions in line with GDPR, and to be able to explain the compliance with GDPR to data subjects and the Supervisory Authority, as and when required.
A natural person or legal entity that processes personal data on behalf of the controller (e.g., a call centres acting on behalf of its client) is considered to be a processor. At times, a processor is also called a third party.
The key responsibility of the processor is to ensure that conditions specified in the Data Processing Agreement signed with the controller are always met, and that obligations stated in GDPR are complied with.
Data Protection Officer (DPO)
The Data Protection Officer is a leadership role required by EU GDPR. This role exists within companies that process the personal data of EU citizens. A DPO is responsible for overseeing the data protection approach, strategy, and its implementation. In short, the DPO is responsible for GDPR compliance. It is possible that certain companies choose not to appoint a DPO, but assign the responsibility to an existing person in the organisation.
Normally, the choice of appointing a DPO, or not, is based on the scale of personal data that is processed in a company. For example, a small company that offers analytical services on medical records should have a DPO, because they process personal data, while a mid-sized manufacturing company may choose not to have a DPO, as the only personal data they process is that of staff and suppliers.
The key responsibility of the DPO is to ensure compliance with GDPR and advise company management and staff on the right measures to take.
A Supervisory Authority is a public authority in an EU country responsible for monitoring compliance with GDPR. An EU country within the European Union is also referred to as a member state. A Supervisory Authority is typically a Privacy Commission or equivalent in a member state. It may have a different name in each country. For example, in the UK it is called the Information Commissioners Office. See here a list of Supervisory Authorities in all EU member states.
The key role of the Supervisory Authority is to advise companies about GDPR, conduct audits on compliance with GDPR, address complaints from data subjects, and issue fines when companies are deliberately not complying with GDPR.
A Supervisory Authority is also referred to as a Data Protection Authority by some experts. So, you should remember that both terms mean the same thing.
While a Supervisory Authority is responsible within a country, the companies operating in multiple countries may choose to appoint a Lead Supervisory Authority for the purpose of reporting. For example, the company should register the name of its DPO with the Lead Supervisory Authority. This can be a great simplification for companies that operate in multiple countries and choose not to appoint a DPO for each country of operation.
To conclude, to understand and implement GDPR correctly, you must understand the key roles as per GDPR and decide which roles are relevant in the context of your company.
To read all the requirements, see this free EU GDPR Full Text.