As usual, the CEO and board are always ultimately responsible for the company's compliance with laws and regulations, but for it to work in practice, responsibility must be distributed. To a person in charge, to each employee and to suppliers who process or have access to personal data. Unfortunately, this is often not done in organizations that lack a DPO. This means that the work done in previous GDPR projects gradually erodes when operations, routines or systems change, when interpretation of the law is clarified or when the roles of customers and suppliers change. The risk is therefore great that the organization does not follow the regulations over time and thus increases the risk of incidents, fines and "bad will".
Some organizations are required by law to appoint a DPO. The DPO must set aside time for planning, follow-up and execution of tasks in order for the organization to ensure compliance with the law. The responsibility of the DPO is to assist the organization in establishing rules, routines and training and, where applicable, to be the contact person for the supervisory authority. The role is also tasked with continuously checking compliance with the rules and reporting any deviations to management for correction. The DPO must not hold any other role within the organization which means that they handles personal data, e.g. other management role within the organization, which generates a conflict of interest. This is to ensure independent and objective review and control.
If your organization does not need to appoint a DPO, it may be wise to appoint a role with corresponding duties. Here, similar to the DPO, the role can advantageously be purchased as a service ("DPO-as-a-Service"). The advantages of this are i.a. that you get access to experts in the field and that you can more easily regulate scope - eg. time and cost.
First of all, we recommend a check of how the organization responds to GDPR today, i.e. carrying out a GAP analysis. (Note: Review/audit must actually be done at least annually according to GDPR.) The GAP analysis shows which possible measures need to be taken to restore regulatory compliance.
In parallel with the GAP analysis, we also recommend that you review the management routines. That is, which roles and responsible persons continuously manage and update the GDPR regulations when organization, routines or systems change. We at Cegal are happy to help you with GAP analysis and the ongoing management. We have completed many GDPR projects and have consultants who held the role of hired DPO/DSO in both large, medium and small organizations. We have packaged services that can be easily adapted to the size and complexity of your business.