GDPR Myth Busting: Do you really need a Chief Data Officer?

Posted: 8th May 2018

Helen Astill Photo

By: Helen Astill

GDPR Myth Busting: Do you really need a Chief Data Officer?

Apparently a new survey has suggested that almost half of UK business owners are braced for a GDPR non-compliance penalty ahead of the 25 May deadline, with private businesses struggling to agree on how they manage it.

New research undertaken by data privacy firm Ensighten, said that 45 per cent of company owners have set money aside in anticipation of a GDPR fine.

It also showed that 61 per cent of survey respondents would apply for an extension to the deadline if they could, giving the impression that most businesses are not yet ready.

We are all aware that the Information Commissioner’s Office (ICO) has the power to fine a non-compliant company up to £17m, or four per cent of annual turnover, whichever is higher. However, the survey found that businesses are unprepared for GDPR because they cannot decide who should responsible for data protection within a business.

Almost a third of those who responded to the survey said the responsibility should rest with the CEO, but a quarter wanted to give the GDPR responsibility to the chief data officer. This all sounds faintly ridiculous for all but the largest of corporations. Most SMEs will not have the luxury of a separate role with a grand title to deal with data management. The Data Protection Manager will normally be someone who has been given that role as an extra responsibility in addition to their main job.

Having said that, depending on the nature of your business, and the frequency of needing to respond to things like subject access requests, and reporting of data breaches, it may take up a significant amount of time and require extra resources– especially as you are setting up your systems.

But as long as you are making strides to put your systems in place, you should not expect to face big penalties on the 25th May. Elizabeth Denham, the Information Commissioner has said that, “It is scaremongering to suggest that we’ll be making early examples of organisations for minor infringements.” Her focus is on putting the consumer and citizen first. She has said that the focus many commentators have made on heavy fines for failing to comply with GDPR is misleading, but that small businesses need to understand their responsibilities under the new law.

So if you have not yet started sorting out your GDPR arrangements, it is not too late. Contact me now if you need help.