Roles and responsibilities

This section outlines the roles that ensure effective personal data protection within the organization.

We highly recommend publishing a privacy statement on your website and appointing a Data Protection Officer (DPO) or a team responsible for data protection in your organization.

Privacy Statement

For communicating your security policy both to your customers and your employees, and other people involved, make sure that you have the privacy statement defined, and that it can be accessed by all concerned. Consider defining the following items in your policy:

What kind of data is saved in the system?
What is the retention time of the data saved in your system?
How is this data protected?
How is your Data Protection Officer to be contacted if any interest in data protection questions arises?
How can individuals request information about their personal data?

Data Protection Officer (DPO)

Each organization should have a person or persons named as Data Protection Officer (DPO). The tasks of a DPO include but are not limited to:

Making sure that customers are informed in an appropriate way about any changes in the privacy statement.
Acting as a contact person for the customers that request information about the personal data saved about them in the system, and deleting that data when requested.
Being the only one who can collect a person's personal data or delete it on request.

DPO rights are not included in any default role but user administrators can grant them in System Configurator (User and Role Management > Users > User Rights > Type: User Service > Data Protection Officer (DPO)). These rights enable a user to search and delete personal data with the Generate Personal Data Report tool.

For more information, see Managing rights in the System Configurator document.