After our article GDPR: what new rights for your personal information?, we go further into what the general regulation brings to data protection. As well as extending the rights of people whose personal data is processed, the General Data Protection Regulation puts a wide range of obligations onto the bodies that process the data.
To understand the key aspects of the GDPR, we recommend watching our video GDPR: 1 minute to understand and take action.
The obligations of data controllers and processors
Whether it is a hotel which requires information for use in a reservation, or a dating site that requires a wide range of information for membership, personal data is processed by business on a routine basis. The regulations has set up a framework for this processing, imposing a number of obligations on bodies that process data. For many these obligations are dealt with by the data controller only, while for others they are shared between the controller and a processor.
The data controller must be able to demonstrate that the processing it performs or has performed are compliant with the Regulation (the principle of accountability). This can be done by imposing a code of conduct or certification mechanisms (article 24).
The data controller is also required, both at the time of the determination of the means for processing and at the time of the processing itself, to implement measures that will facilitate compliance with the Regulation (privacy by design), and measures to ensure by default that processing is limited to that which is necessary (privacy by default) (article 25).
If it is established outside the EU, the data controller or the processor must appoint a representative established within the EU (article 27).
The data controller and the processor must keep a detailed record of processing operations which can be made available to the supervisory authority at all times, and cooperate with it (articles 29 and 30).
The data controller is required to set up technical and organisational measures to ensure the security of the processing, such as pseudonymisation and data encryption (article 32).
Furthermore the data controller must notify the competent supervisory authority of any breach likely to endanger individuals’ rights and freedoms without undue delay. The persons concerned must also be notified unless measures have been put in place. The processor must notify the data controller of any data breach without delay (articles 33 and 34).
When a type of processing is subject to a high risk to the rights and freedoms of individuals, the data controller conducts a data protection impact assessment of the processing operations envisaged. This assessment is required in particular in the event of automated processing (including profiling) or data processing as specified in articles 9 and 10 (article 35).
Appointing a Data Protection Officer
The data controller and the processor must appoint a Data Protection Officer (DPO), whose role is to ensure compliance with the Regulation. This is obligatory where:
- the processing is carried out by a public authority or body, except for the courts,
- their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or processing on a large scale of categories of data specified in articles 9 and 10 (articles 37 to 39).
Codes of conduct and certification mechanisms can be set up in order to assist with the proper application of the Regulation (article 40 at 43).
The data controller or the processor cannot transfer data to third countries or international organisations without a decision by the Commission (adequacy decision), or if it has provided appropriate safeguards and on condition that enforceable rights and effective legal remedies are available for those concerned. Apart from these cases, except as provided for in article 49 of the Regulations, transfers are only possible if they are not of a repetitive nature, affect only a limited number of subjects, are required for legitimate ends, and if the data controller has assessed all the circumstances of the transfer and has offered appropriate data protection safeguards on the basis of that assessment (article 45 at 50).
Penalties for failure to respect obligations under the GDPR
One of the main new features of the Regulation is the introduction of a monetary fine which can be up to the higher of €20,000,000 or 4 % of the annual worldwide turnover for the previous financial year (article 83).
Bringing companies into line with the new requirements of the Regulation, which comes into force in a year’s time, should therefore be considered as an important project which will call for substantial effort. Business & Decision is here to help you through this process and in pursuit of your personal data protection objectives. Contact us.