Who is involved in GDPR compliance?
GDPR has created a number of new roles or new terms for existing roles.
Data Subject
The citizens of the EU using goods and services provided by the data controllers.
Data Controller
Decides the purpose and methods of processing personal data. They decide what should be collected and how it should be collected.
Data Processor
Responsible for directly processing personal data based on the instructions of data controllers. This could include third parties or subcontractors.
To take a chain of gymnasiums as an example. The members of the gym are Data Subjects. The company that owns the gymnasiums decides what data it needs to run its business and how this should be collected – they are the Data Controllers. The web developers who capture the data at the owners behest are the Data Processors.
In addition, some businesses have further requirements…
Data Protection Officers (DPO)
GDPR introduces a duty for you to appoint a data protection officer (DPO) if your business carries out certain types of processing activities.
DPOs must be appointed If your business is any of the following:
- Public authorities
- Organisations that engage in large-scale systematic monitoring
- Organisations that engage in large scale processing of sensitive personal data
If your organisation doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Who enforces GDPR?
The Information Commissioner’s Office (ICO)
In the UK, the Information Commissioner's Office (ICO) is responsible for enforcing the GDPR laws. The ICO has the power to conduct criminal investigations and issue fines. It is also provides organisations guidance about how to comply with GDPR.
Can you match the role with the description?
Decides what and how data should be collected. Responsible for ensuring only pertinent information is stored and associated with the individual.
Who is this describing?