For Part I, click here.
For Part II, click here.
Now that you are familiar with the main purpose of GDPR and the core of GDPR, everything that your organisation or you do while processing personal data must be in consonance and in furtherance of the core (principles and individual rights).
Difference in responsibilities of controller and processor
A data controller has more compliance responsibilities as compared to the data processor since controllers are the strong decision-makers of processing activities.
A few main responsibilities of a controller include:
- Compliance with the data protection principles and ensuring that the concerned individuals can exercise their rights listed in the GDPR.
- Implementing appropriate technical and organisational security measures to ensure the security of personal data.
- Choosing an appropriate processor that provides sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets GDPR requirements. The controller should consider the nature of the processing and the risks to the data subjects.
- Entering into a binding processor contracts or other legal act with processors, which must contain a number of compulsory provisions as specified in Article 28(3) of GDPR.
- Notifying personal data breaches to the supervisory authorities in the EU, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Controllers should also notify affected individuals (if the breach is likely to result in a high risk to their rights and freedoms).
- complying with the GDPR accountability obligations, such as maintaining records, carrying out data protection impact assessments and appointing a data protection officer.
- Complying with the GDPR’s restrictions on transfers of personal data outside the EU.
- Appointing a representative within the European Union: If the controller is based outside the EU but offers services to or monitor individuals inside the EU, the controller may need to appoint a representative in the EU, one of the biggest single markets in the world.
- Co-operation with supervisory authorities: you must cooperate with supervisory authorities (such as the ICO) and help them perform their duties.
- There may also be an obligation on the part of the data controller to pay data protection fees to the supervising authority in the respective EU nation.
A few main responsibilities of a controller include:
- Processing the personal data only on instructions from a controller (unless otherwise required by law).
- Entering into a binding processing contract with the controller.
- Sub-processors: The processor must not engage another processor (i.e., a sub-processor) without the controller’s prior specific or general written authorisation. If authorisation is given, the processor must put in place a contract with the sub-processor with terms that offer an equivalent level of protection for the personal data as those in the contract between the processor and the controller.
- Implementing appropriate technical and organisational security measures to ensure the security of personal data.
- Notifying personal data breaches to the relevant controller without undue delay. Many Best controllers will expect to be notified immediately, and may contractually require this, as they only have a limited time in which to notify the supervisory authority.
- Complying with certain GDPR accountability obligations, such as maintaining records and appointing a data protection officer.
- Complying with the GDPR’s restrictions on transfers of personal data outside the EU. Processors must ensure that any transfer outside the EU is authorised by the controller and complies with the GDPR’s transfer provisions.
- Appointing a representative within the European Union: If the processor is based outside the EU but offers services to or monitor individuals inside the EU, the controller may need to appoint a representative in the EU.
Compliance
Compliance with and awareness of GDPR must be ensured at the following levels:
- Board level - Data Protection Officer must report to the highest level of management within the business; directors may be made personally liable for failure to comply.
- Business level - HR, Sales, Marketing, etc. through staff training and internal policies.
- IT level - to make effective changes to websites, digital record keeping etc.
Steps for Compliance
Below are a few steps in which compliance can be achieved:
Step 1: Registration
Register with the Supervising Authority of the concerned nation where required.
Step 2: Discovery and Data Inventory
- Collate data, prepare Information life cycle (data flow mapping, information asset register (IAR)).
- Classify data and identify personal data.
- Identify purpose of collecting personal data and eliminate unnecessary personal data (need-want-drop).
- Determine if you are the controller or the processor for different personal data operations depending on degree of control.
- Identify who else has/will have copies of the personal data outside your organisation.
- Identify if personal data is being shared with any third countries.
- Collate existing data sharing agreements.
Step 3: Evaluation of Existing Processes
- Look into agreements with joint controllers/processors and see what needs to be changed.
- Check if existing personal data has been lawfully processed (consent/ necessity, etc).
- Check if all the principles of GDPR are being followed and all the data subject rights have been made available to the concerned individuals.
- Check if the existing consent mechanism includes privacy policy, opt-ins, etc. and consent recording.
- Check if you are dealing with any controller/processer established outside the EU and check if all the GDPR requirements in relation to international transfers of personal data are being followed.
- Bring the existing compliance recording system up-to-date so that Accountability is demonstrated.
- Evaluate existing IT security system and make improvements where required (encryption, back-up, security testing, data separation, firewalls, encryption, pseudonymisation, Data Loss Prevention System, access points, etc).
- Evaluate existing physical factors and make improvements where required (rooms, locks, ID cards, cameras, security)
- Evaluate existing risk management system.
The official website of EU GDPR itself provides a very useful checklist that can help you with this step. https://gdpr.eu/checklist/
Step 4: Risk Management
- GDPR encourages risk-based approach.
- Examples of risks include data loss, data theft, etc.
- Solutions include securing data location with locks, securing IT systems with firewalls, etc.
- There are different tools/ spread sheets that can be used for risk management.
Step 5: Training and Awareness
- Train anyone who deals with personal data.
- Provide specific training for different levels (board, business and IT).
- Training in IT security, security policies and procedures, subject access procedures, breach notification protocol.
- Create and implement internal policies.
- Conduct regular awareness campaigns and demos.
Step 6: Implementation and Improvisation
Once you have evaluated the existing system and done a risk assessment, you will be in a position to know your/ your organisation’s shortcomings. Now you can bridge the gap by implementing and improvising, for example, improving the record keeping system, drafting and enforcing internal and external privacy policies, editing/ replacing data sharing agreements with joint controllers/ processors, appointing a Data Protection Officer where required, etc.
GDPR is most certainly one of the greatest achievements of the EU in recent years. Even if you are not involved in EU transactions, it is still a good idea to know and understand GDPR, since many countries in the world, such as Brazil, Chile, Thailand, etc. have already followed suit and many are seriously considering implementing stricter laws in relation to data protection and privacy rights of citizens on the lines of GDPR.
Sources:
https://gdpr-info.eu
https://gdpr.eu
https://ico.org.uk
- Dhatri S
About the author: Dhatri is a tech entrpreneur and solicitor (England and Wales) specialising in Data Protection and Employment Law.
