Who can be Data Controller and Data Protection Officer in the small organisation?

[Lanacosmo]

Hello everyone,

I am in the process of registering our company (less than 250 employees) with ICO under GDPR and would like to clarify who should be a data controller? HR Manager or a directors owners of the business

Data protection officer can be someone from HR ?

Thank you very much

 

[fisicx]

It can be anyone you want but it should be someone senior as it's quite a responsible role.

Here's a useful guide: https://ico.org.uk/for-organisation...lity-and-governance/data-protection-officers/

 

[thelegalstop]

I would agree. There are also some external companies that can help you with the data protection, by e.g. supplying a data protection officer, training your staff in how to handle sensitive data, evaluate the safety procedures and policies in case of the data breach, etc.

 

[Fredrik]

A key point many organisations seems to miss is
"

• The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.

"

 

[Alan]

The DPO generally is only required where personal data is systematically processed in a 'large scale'. Large scale is not defined, but there is some guidance which an example of large scale is all the patients handled by a hospital - and not large is all the patients of a single physician.

I guess if you are in between, like a surgery of 4 doctors, you are in that GDPR unproven grey area and judgement calls are required.

 

[Ozzy]

Something that also gets missed is that you must appoint a senior member of staff, or director, who is responsible for Data Protection but the role of "Data Protection Officer" is a defined role in the legislation that has specific legal responsibility. You do not always need to appoint a DPO, so as a small business if you don't process large scale data then you don't need to appoint that specific role and a Data Protection Manager will be sufficient.

A lot of hype as been created over GDPR and in reality it just boils down to be diligence and sensible, nothing has really changed that much since the original data protection act other than accountability. Just be sensible and accountable.