GDPR: A Closer Look At A Company’s Stakeholders And Their Obligations

Evelyne Salie

Anyone involved in a company-wide European Union General Data Protection Regulation (GDPR) initiative will probably agree that it can’t be an ad hoc approach; it must be a high-grade, cross-functional program. Typically, GDPR programs involve several work streams running in parallel across multiple business lines and geographies. And no matter how many people and business processes are involved (or what their titles and roles may be), all will fall under one of four major stakeholder groups. In this blog, I’ll detail each group’s primary obligations.

CEO and board of directors

The CEO and board of directors will be interested in:

  • Impact of GDPR on business processes, top-to-bottom review of relevant privacy data being processed within the business processes; understand risks and challenges as well as new opportunities
  • Employee training about new requirements, creating awareness of how they should be taking notes and recording information about their customers, prospects, and employees
  • Protect against GDPR-related fines, impact on directors’ and officers’ liability insurance (also known as D&O insurance); the company’s current GDPR risk exposure
  • Cost-effectiveness of data. Is the company collecting and accessing more personal data than is needed? Check possibilities of reducing the amount of data gathered, since continued accumulation of silos of unused, and potentially toxic, data increases the need for encryption – which therefore will require more investments

CCOs, CROs, and related roles

In contrast to the data protection officer, the chief compliance officer (CCO) and chief risk officer (CRO) will focus on “Lawful Processing” Article 6 GDPR and “Accountability” Article 5 GDPR to demonstrate compliance by:

  • Introducing clear, company-wide data protection policies to ensure agility against potential breaches and the ability to quickly inform the relevant authorities
  • Establishing an accountability framework by adding documentation of current risks and controls for the GDPR regulation into the existing internal controls system
  • Incorporating a risk-based approach by assessing the “likelihood and severity of risk” of personal data processing operations
  • For example, “high-risk” processing operations will raise additional compliance obligations, such as data protection impact assessments (DPIAs) and so forth
  • Encouraging a culture of monitoring and assessing data-handling processes

Data protection officers

All businesses that market goods or services to customers within the EU and collect data must appoint a data protection officer. The DPO works on behalf of the customer’s privacy. Thus, many of a data protection officer’s recommendations will run contrary to the aims of other data roles within the company. The data protection officer (DPO) will:

  • Keep up on laws and practices around data protection
  • Conduct privacy assessments internally
  • Ensure that all other matters of compliance pertaining to data are up-to-date
  • Be responsible for advising the organization of its obligations and monitoring compliance
  • Report directly to the highest level of management and have “expert knowledge” of data protection – although the DPO can potentially be outsourced

CISOs, CIOs, and business process owners

These roles generally deal with keeping a company’s data safe and making sure that these troves of data are being exploited to improve business functions across the company. The chief information security officer (CISO) will:

  • Define GDPR requirements in the security strategy
  • Manage information risk management, security incidents, and crisis management
  • Be responsible for cybersecurity, including monitoring access to personal data and reporting of data breaches
  • Limit who has access to personal data and make sure that access is authorized and reflects personnel changes that happen within an organization

The chief information officer (CIO) can advise the DPO on technical solutions, and will typically focus on architecture and fulfillment of new rights of the data subject (Chapter 3 GDPR). These new rights include:

  • Data subject’s consent for processing of personal data, which might be revoked at any time
  • Data subjects – like customers, subscribers, users, employees, partner, external workforce, and so on – will get extended information rights: the right to correct information, the right to export and transfer, as well as the right to be forgotten
  • Information that is no longer required to be stored (for legal reasons, for example) is expected to be completely removed from all storage systems

As I stated earlier, actual titles and roles will vary from one organization to the next, but organizations subject to the EU GDPR will need to establish comprehensive programs addressing these key data-privacy areas. The more automated and integrated the program is (with existing business applications, audit, and compliance tools), the more effective, cost efficient, and preventive this program will become.

For more information on the new regulations, read our other GDPR blogs.


Evelyne Salie

About Evelyne Salie

Evelyne is a highly experienced IT-Solution Principal, Business Developer and Project Manager with over 10 years IT- industry experience within the Governance Risk and Compliance and Finance area of expertise. She currently works as a Senior Director in Business Development at SAP Finance and GRC solutions. In her business development role she is working on concepts and realization for new generation of Finance solutions, running in real time, integrating predictive, Big Data, and mobile, which will change how offices of the CFO work, how the business is run, and how information is consumed.