Data protection officers must report to CEO under coming GDPR legislation

10 Mar 2017 News

Under new European data protection rules, data protection officers must report directly to either the chief executive or most senior person in their charity, a data protection expert said yesterday. 

Mark Child, an IT auditor and managing director of the business consultancy Newable, told delegates at the Charity Finance Group IT, Data and Cyber Security Conference yesterday that part of the changes introduced by the EU's General Data Protection Regulation (GDPR) made the role of data protection officers “massively important”. 

“The reality is there are some new requirements which mean that as the data protection officer you are going to have a huge amount of responsibility,” he said, and this means “you need to report to the chief executive” or the most senior person in the organisation. 

He said it “must be the highest authority in the business so that you can’t be unduly influenced”. 

Not all charities will have a data protection officer, he said. It is acceptable to outsource data protection to an agency. However there has to be someone with overall responsibility for the charity’s data protection reporting directly to the chief executive, or equivalent.

Role for trustees 

After a delegate asked whether for charities this actually meant they should be reporting directly to trustees, Child said he “wouldn’t have a problem if that was the case”. 

He added: “They really should be taking an active interest in terms of awareness.” 

Risk to reputation

Child also warned that the biggest risk from data protection breaches was the damage that is done to charities’ reputation, which in turn has a “serious impact on donations”.

“The law is already in place – don’t delude yourselves,” he said. “If you don’t get appropriate consent and don’t evidence it you are going to fall foul of the rules.” 

If charities do breach data protection rules it will lead to people cancelling their regular donations he said. 

Civil Society Media is hosting a breakfast seminar discussing the EU General Data Protection Regulation (GDPR) ahead of its introduction in May 2018. For more information, including on how to book, see here.


More on