Implemented in May 2018, the General Data Protection Regulations have been one of the biggest topics in the digital world, and wide business management, for several years now. GDPR brought many changes to the UK’s data protection laws, and as a result, many businesses faced significant challenges in ensuring that they were compliant. However, the transition process is still not yet over for many businesses, despite the threat of fines, and for many, adhering to GDPR will be a continual issue of compliance.
As a result of this, we’ve seen the emergence of a new job role - or job function - which is that of the GDPR practitioner. In this article, we’re going to look in some detail at what the GDPR practitioner role involves, what its responsibilities are, and how a person can take on this title.
First, it helps to understand a little more about GDPR. While senior management and those that work with data should already be aware of what it entails, there’s still a lack of knowledge amongst many companies.
GDPR is, in short, a restructuring of the laws surrounding data protection with a view to give individuals more control when it comes to deciding how their information is used by companies that do business in the EU. There are a number of major changes brought about by these regulations, including the following:
According to the Information Commissioner’s Office, there are six principles of GDPR which may also be helpful for understanding the spirit of the regulations:
These principles refer to the use of data. For example, an email can only be sent as a marketing tool if there’s a lawful reason such as explicit consent, any information held about the owner should be accurate, and the email address should not be on file for any longer than is necessary.
A practitioner’s main focus will naturally be on ensuring business compliance with the regulations set out by the EU. This could potentially be a fairly wide-ranging remit depending on how large and diverse the organisation is. It’s likely that they will need to work with senior management, compliance, IT, marketing and various other departments, as GDPR has fairly broad-reaching implications.
There are many things that a practitioner might do. For example, they may ensure that subject access requests (SARs) are being handled appropriately, they may be responsible for communication if a data breach occurs, and they will likely have a hand in ensuring that data about EU citizens is kept secure as an ongoing concern.
Brexit is naturally a significant concern for anyone thinking about compliance issues that have been set by the EU. However, we do have some guidance as to how GDPR might be affected if and when the UK leaves the EU.
The EU Withdrawal Act 2018 does contain within it provision for the UK to continue following the standards set by GDPR in the even that it leaves the EU with a deal. This should mean that nothing significant would change, and that the practitioner’s role would continue to be the same.
In the event of a No Deal Brexit, things are much less clear. The UK would not be bound by EU laws, and would not necessarily have agreed to the same standards either. Unfortunately there is no guarantee as to the role of the GDPR practitioner in such a scenario.
However, British businesses operate extensively in the EU, which means that they may well be handlers of data belonging to EU citizens. If this is the case, then a business would certainly still be bound by EU law when it came to this data, even if the UK leaves the EU.
Depending on the size of the organisation in question, the role of GDPR practitioner might be full-time, or it may simply be an additional set of responsibilities for existing data handlers or other IT or communications executive.
In a very large organisation, GDPR may have had profound effects on the way that business is conducted, which means that ensuring compliance with it may well be a full-time role. In the previous section, we can see just how pervasive the effects of GDPR can be. Indeed, GDPR does mandate the designation of a Data Protection Officer in certain circumstances including the following as stated by the ICO:
In such a case, GDPR would be the responsibility of the Data Protection Officer, and they would fulfill the same (though increased) role as GDPR practitioner.
Smaller businesses who don’t necessarily need a Data Protection Officer under law may however wish to have someone trained as a GDPR practitioner so that they can ensure the business is meeting its requirements. In many businesses that don’t deal extensively with individuals’ data, this can be anyone who has appropriate training and may be a member of management or IT employee.
As things stand, the role of GDPR practitioner is not a set one determined by law or any particular qualification. However, in order to carry out the job effectively, an individual must have an excellent knowledge of the EU’s regulations, as well as a broader view of data protection. Many existing Data Protection Officers will already have much of this knowledge and may only need brief additional training to be considered a GDPR practitioner. However, those who are new to the role, or those who are taking it on as an additional responsibility may need to have more extensive GDPR training.
Here at Virtual College, we’re pleased to be able to offer an introductory course titled ‘The Essentials of GDPR’. This course is ideal for those who work with data, and can be taken by anyone with no prior qualifications needed. Click here to find out more about what it involves and how it might benefit your business.