This post relates to a Linkedin article written by Micky Khanna of GDPRPLAN.com on March 7th 2018, which examines the organisational measures and responsibilities in relation to the EU GDPR.
The article starts by looking at the Sales department, as they are selling the reputation and of the company so will want to assure prospects and confidently demonstrate that their employer is GDPR compliant.
Then the article looks at how Client Services are responsible for the confidentiality and integrity of their clients’ personal information, citing examples within one area of digital marketing (affiliate) where cashback sites frequently send details of disputed transactions to affiliate networks and merchants in order to validate a customer transaction from their website.
The article then talks about the Marketing department, and how they promote and advertise their employer’s products and services, and will want to convey the message of GDPR compliance (either through accreditations or certifications for example).
The post also looks at Finance/Accounts and how (like client services) confidentiality of client and employee information is of paramount importance due to the sensitivity of the information.
With regards to the Legal department, the post talks about the sensitivity of information – both existing and archived information. There may be a compliance department within the organisation (often close to the Legal department) so organisational measures to ensure regulations are adhered to.
The article goes into considerable detail regarding Human Resources and how the GDPR can affect this department given the volume and sensitivity of employee information (not just past and present), as well as information on prospective candidates through access of CV’s, which are often shared with the hiring manager, and raises questions as to what organisational measures are put in place to ensure protection of this sensitive information.
The next section of the article looks at the Facilities Department, who literally hold the keys to the premises and are influential in the setting of physical security measures as well as ongoing organisational measures.
The last section that the article covers is the I.T Department who oversee the information security within the company and therefore the organisational measures that they set in terms of firewalls, encryption of data, assisting with the IT policy (internet usage, BYOD, Cloud Services, Remote Working to name but a few) that ensures the Confidentiality, Integrity and Availability of personal information.
The article concludes with an observation that not all companies will have the same organisation structure, but is probably quite a common structure of a medium-to-large enterprise within the digital industry. Also within the concluding section, the article talks about the need to consider organisational measures when it comes to temporary or contract staff and suggests carrying out risk assessments to ensure processes are in place so as to minimise risk. It is the board who should be driving the organisational measures and leading by example, as the person who sits at the very top of the organisation will ultimately be accountable should the company be found to be in violation of the EU GDPR.
You can read the full article at https://www.linkedin.com/pulse/organisational-measures-responsibilities-gdpr-micky-khanna/. If you would like to discuss how GDPRPLAN.com can help devise appropriate organisational measures within your enterprise feel free to contact us.