The role of the Data Protection Officer is to ensure that HMG UK complies with the Data Protection Act 1998 and any applicable rules regarding privacy and information security, to ensure that employees are fully informed of their own responsibilities for acting within the law and that data subjects are adequately informed of the purposes for which we process data and their rights under the Act and any other relevant legislation.
The job holder is a member of the compliance team and interfaces with those responsible for data protection in the businesses and with data protection regulators.
The job holder is responsible for ensuring that the Board and senior management are apprised of all issues relating to data protection across the Group, including data breaches and their resolution.
Ensuring organisational compliance, and conformance with the Data Protection Principles:
• Producing an annual Compliance Monitoring Plan
• Compliance monitoring reviews as set out in the Plan and those undertaken on an ad hoc basis, to include recommendations for change and subsequent confirmation that recommended changes have been put in place
• Providing assurance to senior management that data risks and breaches are managed appropriately
• Creating and maintaining a data asset register – holding and maintaining a list of the locations of customer and staff data within the business
Maintaining and updating own knowledge of developments in Data Protection issues, information management and records management systems.
• Disseminating new rules/regulations on Data Protection Act to staff
• Keeping abreast of proposed and actual changes in regulation, assessing their impact on the business and advising departments and committees on them
• Ensure written information on Data Protection is available for provision to customers and employees
Assess level of compliance within divisions and functional departments
• Be a resource for other employees of the division by providing expert advice on the Data Protection Act and related issues.
• Set up a Data Protection group with representatives from divisions.
Co-ordinate and deliver Data Protection Act activities (including training) with other functional groups (e.g. Legal, IT, HR, Marketing, Finance).
• Identify data owners likely to hold commercially or legally sensitive information.
• Ensure those staff are aware of the issues and their responsibilities (what is the data, how it is used, who has access to it, how long it should be kept and in what format).
Reviewing existing policies and develop, implement and enforce a suitable and relevant Data Protection/Information Security policies and procedures.
• Provide advice on projects, programmes and data sharing.
• Advise data controllers on the Data Protection Act including on the Privacy and Electronic Communications regulations where appropriate and their implementation within each department’s area of responsibility.
• Advise on all elements of processing personal data abroad and on the requirements and implications of local Data Protection laws.
• Identification of and advice on data protection risks as these relate to company
• Advice on and identification of data protection risks relating to all major projects proposed or undertaken by the business, including but not confined to risks around supplier relationships and transfer of data to third parties
• Identification of and advice on regulatory requirements that apply to marketing and customer contact campaigns
Leading on Information Commissioner’s complaints as well as helping with the resolution of complaints from the public and staff with data protection complaints
• Undertake reporting/remedial action as required
• Maintain a log of any incidents and remedial actions and recommendations
• Arrange for the notification of companies’ Personal Data Processing registration with The Information Commissioner
• Monitor, annually review and amend the organisation’s ICO notification(s).
Conduct frequent audits of data for compliance.
• Maintain an internal register of Personal Data Processing projects and systems.
• Advise all staff arranging for data to be processed on behalf of the company by outside contractors, on the statutory requirements of the Data Protection Act to be included in contracts.
• Carry out Privacy Impact Assessments on all systems processing personal data from time to time.
• Ensure that the Data Protection aspects are properly covered in the governance documents of all systems processing personal data.
• Provide formal compliance reporting.
• Review should include, but not be limited to:
-Sales processes and processes around product launches;
-Contact centre processes;
-Suppliers of outsourced services;
-Issues relating to new and existing business practices, including review and sign-off of customer facing materials, web pages, social media, training materials and sales aids;
-Issues relating to corporate governance