Each manager of a department, or a specific responsibility, must assess the data issues and risks as
are relevant to their individual department. The manager must assess what data exists; whether it is
permitted for use; filter out (including deletion of) data that is over-broad or otherwise not permitted;
and ensuring procedures to identify and eliminate processes that open up the risk of future unjustified
data collections. While other agents of the company or organisation will have responsibilities in
relation to data protection compliance, the manager of a department must also engage in best
practices that focus on the data protection obligations of the department. Data protection compliance
requires not just adherence to specific data protection legal provisions, but a full understanding of
what data exists in the department, company or organisation, where it is located and for what
purpose.
The personnel manager needs to be satisfied that all of the internal personnel records are fully data
protection complaint. Just one of the dangers is that these issues are not addressed in appropriate
reviews, contracts and policies. Another risk gap is that there may be policies, etc., but the manager
omitted to appropriately include other non full time employees, such as those whom may be
contractors, temporary staff, interns, or family members.
The marketing manager needs to be satisfied that all of the current and proposed marketing activities,
customer lists, and user lists are all compliant with the new data protection rules.
Organisations should have undergone an A - Z review of data protection compliance in the lead up to
the new EU General Data Protection Regulation (GDPR) go-live date. In many organisations there will
be many activities and actions which carried over from the GDPR review. These need to continue to
be actioned.
In addition, there is also a new Data Protection Act 2018 to consider.
Organisations should also have appointed a new Data Protection Officer (DPO) to assist in these
efforts and to be the official point of contact internally and externally (for data protection supervisory
authorities and for customers and users).
Critically, all Managers need to be aware of data protection compliance and related issues within their
own Department. The Manager has duties and responsibilities.
The Manager cannot simply assume that someone else will do it, or that all data protection issues for
their Department are already being dealt with by the DPO or some other Department.
