Who is responsible for compliance with GDPR?
The ultimate responsibility for GDPR is the CEO or Owner of the Business.
The CEO needs to identify, or allocate staff responsible for monitoring GDPR. The key person should be the Data Protection Officer. Sometimes the CTO (Chief Technology Officer) has this role. Others in the Data Protection team are the Data Controllers and Data Processors.
Monitoring is an ongoing process. Being compliant on May 25th, 2018, does not necessarily mean compliance 6 months later.
Data Protection Officers (DPO):
The DPO should conduct an internal audit to evaluate compliance with GDPR. Users will have the opportunity to validate the degree to which their organization complies with the regulations and identify areas that need remedial actions to improve compliance posture. Provide timetable for improved compliance.
Users should be able to identify the GDPR Compliance Certificate of an Organisation.
Personal Data Controllers and Processors:
The Data controllers and Processors should register filing systems (structured sets of personal data), purposes and means of their processing in order to ensure compliance with GDPR in all areas to which the regulations apply. What is the data, why is it needed, and how will it be processed?
For professional guidance on the complex text of GDPR:
The data protection team should access the full text of the Regulation with explanatory and helpful notes to interpret the spirit and requirement of each article. Where possible place named persons responsible for aspects of compliance. Meet with, and agree roles with the CEO and CTO where these roles exist.
For managing personal data breach response (GDPR or DPA 2018):
Fully control personal data breach incident response and initiate implementation of corrective and remedial actions. A Disaster Recovery document should indicates steps for recovery and what preventative actions need to be updated.
Any incident of Data breach must be reported of any incident within 72 hours of occurrence.
Complaints of non-compliance is usually handled by the office the Information Commissioner Office in the United Kingdom, plus personal data breach can be classified as any accidental or unlawful destruction, loss, alteration, unintended disclosure of their party/personal data whether accidental or deliberate caused.