 |
 |
This would be my interpretation of the drafter’s intention too, although it would definitely have helped if it had been worded less ambiguously…
Peter Dinsdale
Information Security Officer (Compliance)
Tel: 0191 208 6950
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]]
On Behalf Of Michael Bacon - Grimbaldus
Sent: 12 January 2017 11:14
To: [log in to unmask]
Subject: Re: [data-protection] GDPR Data Protection Officer
The wording in the GDPR: "The data protection officer shall directly report to the highest management level of the controller or the processor." is open to some interpretation. It might be that in different countries or even different
industries "shall directly report to the highest management level" means presenting a report, rather than being a line report to. In my experience, though, across a broad swathe of UK and European industries, it means line reporting; and I suspect that was
the drafter's intention.
And there is sense in that, from the word "direct". It is hard to imagine senior management being comfortable with an individual several layers below reporting directly to the Board or the Audit & Risk Committee, without them presenting
said individual with "instructions regarding the exercise of those tasks".
M
On 12 Jan 2017, at 09:39, Peter Dinsdale <[log in to unmask]> wrote:
Hi Victoria,
Does your comment on reporting to the highest level of management come from any guidance that you’ve seen, or is that just your view? I’ve been trying to find clarification on this point since the Regulation was released, and nobody seems to be sure. At least one training course I’ve been on has suggested it does mean line management reporting, rather than just putting in a regular formalised report.
Thanks,
Peter
Peter Dinsdale
Information Security Officer (Compliance)
Tel: 0191 208 6950
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Blyth, Victoria
Sent: 11 January 2017 16:41
To: [log in to unmask]
Subject: Re: [data-protection] GDPR Data Protection Officer
Hi
I don’t see it as a conflict of interest. I’ve always seen SARs as a part of the DPO role in the past and I don’t think they have to be automatically excluded from the role under GDPR. One way to assure compliance is to be doing the actual work.
I think there is a level of flexibility under GDPR of how a DPO will look for different organisations. ‘Reporting to highest level of mgmt’ doesn’t have to mean the SIRO or CEO is the line manager. It may be that a quarterly report to the board is sufficient (with further access for urgent issues), as long as that reporting and access is formalised.
I also think we’re going to struggle a bit with the fact that ‘Data Protection Officer’ is the title picked by GDPR, as there are a lot of roles that deal with DP work and are called DPOs, that won’t be the DPO under GDPR. Especially when the majority of staff won’t give a hoot that DPO is a formal term under GDPR and just want to deal with the officer who can help them with DP.
Victoria Blyth
Information Strategy ManagerInformation Management Team
London Borough of Barnet, North London Business Park, Oakleigh Road South, London N11 1NP
Tel: 020 8359 2015
please consider the environment - do you really need to print this email?Barnet’s Information Management Policies are available on the intranet here
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Dan Palmer-Dunk
Sent: 11 January 2017 14:46
To: [log in to unmask]
Subject: [data-protection] GDPR Data Protection Officer
Good afternoon all,
I have noticed that quite a few DPO position adverts – or at least related ones mentioning DPOs and GDPR - I’ve seen advertised over the last few months have included handling SARs in the role responsibilities. In considering how this new role can fit into the organisation I wondered if anyone had any thoughts on whether this would be viewed as a conflict of interest for a DPO?
I am aware that a DPO can carry out other tasks in addition their DPO duties, but if a DPO is meant to be a significantly independent and quasi-auditorial role, and report to the ‘highest level of management’, who would monitor SAR compliance and conduct reviews, etc?
Your views would be very welcome.
All the best,
Dan Palmer-Dunk
Information Compliance Officer
University of Hull
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)