Step 3: Appointing a Data Lead
Contents
- Introduction
- Step 1: What do I need to know about data protection?
- Step 2: Who is responsible for what?
- Step 3: Appointing a Data Lead
- Step 4: Understanding data subjects' rights
- Step 5: Gathering data
- Step 6: Data discovery
- Step 7: Keep a record
- Step 8: Check your security
- Step 9: Third parties
- Step 10: Publish your privacy stance
- Step 11: Delete and destroy
- Step 12: Responding to a breach
Step 3: Appointing a Data Lead
Data protection can be complicated and does require some knowledge of the subject. It is advisable that the responsibility for leading on data protection is an individual that can act as a Data Lead. Anyone acting as a Data Lead is responsible for supporting the Scout Unit they are attached to.
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) require several specific provisions to be in place for an organisation, which consider proactive and reactive data protection practices.
To assist an organisation in handling the responsibility for guidance and advice, emphasis has been placed on the Data Protection Officer (DPO) role. In some cases, this role is mandated by the Information Commissioner’s Office (ICO). This is when the data gathered and processed is sensitive in nature (special category) and ‘large scale’. Large scale is not defined but it’s implied to be more than 50% of the total data held.
If the requirement for a DPO does not apply, it is still advisable to align the proactive and reactive duties of the role to a Data Lead, either an internal or external resource:
Proactive
The proactive duties that should align to the GDPR and DPA 2018 legislation include:
- Keeping updated on data privacy legislation and any changes
- Informing the organisation and staff of updates to data privacy legislation
- Assessing risk for any significant projects/changes that may require Data Privacy Impact Assessments (DPIA) – risk assessment for any new or changed processing activity or system, a template has been provided
- A record of processing (and data inventory document)
- Any other steps to accountability
Reactive
The data protection lead has a requirement to be available in a reactive capacity for situations such as:
- A breach incident, where a breach has occurred and needs to be assessed, managed and reported upon, including reporting to the ICO
- Subject Rights Request (SRR), where a request has been received from a data subject to do something with the data you hold on them (disclose, delete, rectify, etc.)
It is advisable that the individual who takes on the role:
- Be up to date with the GDPR and DPA 2018
- Be able to communicate with the organisation at the highest level
- Where possible, be independent and impartial with no conflict of interests with the organisation
- Have a good understanding of the organisation's data processing activities
Due to the diverse skillset throughout the volunteer structure, it is advisable to look within the local Scout Units for anybody that can fulfil this role.
A new Accreditation has been created with associated training that assists individuals in becoming a District based Data Lead.
More information about this role can be found on our Leadership Team Accreditations page.
Useful resources for Step 3