“We are looking to tighten up our policies and procedures on Data Protection Act compliance and there has been some confusion over where responsibility for compliance should lie. Historically this has fallen within the IT teams but we are not sure that this is the best place. In other companies, who takes prime responsibility for Data Protection – both Notifications to the Information Commissioner and compliance with the principles of the Act?”
It has always, in my experience, been a matter for the Company Secretary, as part of the overall legal compliance role that is generally part of that job. Once the procedures and registrations are in place, some responsibilities may be delegated, with periodic training (e.g.for HR teams in the event of Data Subject requests, or IT for secure storage of data). If personal data is a key business asset – for example, of a service/sales/marketing business – a full-time DPA compliance officer could be useful.
The Cosec takes responsbility for compliance and chairs a Data Security committee which includes representatives of each operational area of the business plus IT and HR. Each member is responsible for their area. Policies and procedures are regularly reviewed through the committee and new regulations/guidelines are considered.
This used be the responsibility of the Company Secretarial Department. However, with the increased focus on Competition Law compliance and the Bribery Act, we now have a dedicated Compliance Officer who has taken over responsibility for Data Protection.
The Company Secretary has ultimate responsibility for both compliance and notifications.
This involves close involvement with heads of operating areas who ensure compliance within their areas of responsibilty and who assist with the preparation of notifications.