Role extensions for privacy¶
Below is a description of the additional responsibilities that need to be added to the roles of people working on a digital service than uses personal data.
Privacy Officer¶
The privacy officer is the key role dedicated to ensuring privacy. They interact with the digital service team to aid them with privacy related questions and actions. For example:
- Providing guidance on privacy matters relating to the offering’s capabilities.
- Deciding on whether a privacy impact assessment is required.
- Completing and publishing the privacy impact assessment.
- Seeking resolution of the privacy concerns raised in the privacy impact assessment.
- Signing off the data processing certification
- Supporting the offering team during a data breach incident.
Asset Owner¶
The owner of the digital service (aka asset owner) is responsible for investment decision related to the offering. As such they make choices on the types of data that are collected by their offering, the processing that the offering performs on data, what data is stored and shared.
These decisions set the stage for the compliance requirements that the offering must support and the offering manager is accountable for achieving the balance between data processing function verses data protection and the privacy of the individuals who are the data subjects.
In the real of privacy, the offering owner has these additional responsibilities:
- Involve the privacy officer when one of their digital services that uses personal data is being created, or significantly extended. Together they participate in a privacy impact assessment for the digital service.
- Ensure there is appropriate investment for compliance related function.
- Ensure the terms and conditions for the offering clear set out legitimate interest processing.
- Validate with the architect that the offering is compliance.
- Participate in data breach incidents.
Architect Role¶
As a leader of the development of a digital offering that includes personal data, the architect is responsible for:
- Ensuring the offering development team is practicing privacy by design and secure engineering in the coding of the offering.
- Maintaining the data processing descriptions for the offering.
- Overseeing the testing of the offering before deployment to ensure it passes the data processing certification and security certifications.
Data Officer Role¶
The data officer role does not have any specific responsibility for data privacy since much of the work is delegated to the Privacy Officer. However, the data officer is setting the strategy that drives the use of data in digital services and their support systems. The data officer needs to work with the privacy officer to ensure the data strategy is not in conflict with privacy requirements.
Customer¶
A customer is an individual, employee, or legal representative of an external organization that is buying services from the organization. The customer must be able to able to agree to the core data processing that is considered the legitimate interest of the purchased service. This includes the permission to collect, store and process data, plus agreements on sharing and distribution of the data.
A customer is also involved during any data breach incident where their personal data, or personal data that they are responsible for, is compromised.
Asset Consumer¶
An end user of the digital service is an asset consumer. Depending on the capabilities of the digital service, through this interaction, they may also become a data subject (if the digital service collects information about their use of the service) or a data controller, if they upload and manage data about other people.