In the previous part of this series, we talked about GDPR, why its needed, GDPR key principles and data subject rights.
In this part, we will talk about controller & processor responsibilities, what is a DPIA (Data Protection Impact Assessment) & what is the role of Data Protection Office (DPO).
Let’s get started.
CONTROLLER AND PROCESSOR RESPONSIBILITIES
This is the 3rd most important topic on the GDPR articles after GDPR principles & data subject right.
- Accountability and governance
This is one of the core principles in GDPR. It states that, as an organization, controllers should be able to demonstrate that processing is performed in accordance with this Regulation.
Controllers and processors should ensure and demonstrate processing in accordance with GDPR.
Controllers and processors should ensure there are written policies.
- Data protection by design and default
As an organization, controllers should:
- Build data protection as one of the cores in their design. In an IT firm, there should be data protection methodologies in software development lifecycle, in business architecture etc.
- Implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
- Minimize data and consider options for pseudonymisation. This can be achieved by asking few simple questions like:
- Do you need this data (field, record)
- Does it need to be personal?
- Really see if the data use is absolutely necessary?
- Think about access control. Data should be only accessible to those who really need to see it.
- Records of processing activities
- For an organization of over 250 employees, controllers need to keep a record of processing activities:
- What data is processed and why (purpose of processing)?
- What’s the retention period?
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations
- The records must be in writing (it can also be electronic)
- This is a must because this data can be requested by regulators.
- Cooperate with supervisory authorities(regulators)
The controllers, and processors and, where applicable, their representatives, shall cooperate, on request, with supervisory authority in the performance of its tasks.
- Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures.
- The processor shall not engage another processor without prior specific or general written authorization of the controller.
- Processing by a processor shall be governed by a contract or other legal act that is binding on the processor with regard to the controller.
- The contract or legal act shall stipulate, in particular, that the processor:
- processes the personal data only on documented instructions from controller. Processors must do nothing else than what is instructed by the controller.
- ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- must assist the controller by appropriate technical & organisational measures considering the nature of processing
- at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless there is a legitimate reason for storage of the personal data
- makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
- Controllers must manage processor with which it has legal contract with.
- Processor should keep data secure & make sure persons responsible for processing of personal data are bound by confidentiality.
Data Protection Impact Assessments (DPIA):
It is actually a risk assessment. Primarily, DPIA is mandatory if we are doing one of the following:
- Processing and Profiling that causes significant effects
- Large scale special category data
- Systematic monitoring of publicly accessible area on large scale
What’s in a DPIA?
- Full description of processing
- Whether it is necessary and proportionate
- Risks to fundamental rights and freedom of data subjects
- Risk treatment: In an event of a risk occurrence, how can a controller deal with it: Avoid, reduce, accept, transfer
- Consult regulators if no treatment available.
To conclude, its always good to do a DPIA when we are starting a new project or new application. It can give us more insights about how to manage, protect & store our data.
It also gives some kind of assurance to the regulators that controllers are taking GDPR seriously & actually trying to protect fundamental rights of the data subjects concerning their data.
Data Protection Officer(DPO)
You need a DPO when:
- You are a public authority
- You are doing lot of Systematic monitoring of data subjects on a large scale
- Large amounts of special category or criminal activity data is processed
- DPO Can be outsourced or it can be someone from your organization.
- DPO needs to be competent
What tasks does a DPO need to do?
- Monitor compliance
- Help and conduct DPIAs
- Point of contact for regulator
- Be the subject matter expert
It is essential that DPO is pragmatic and risk-aware.
Security and Breach notification
Despite taking all security measures to protect personal data of data subjects, there can still be a data breach. This section is all about what should be done in case a controller becomes aware of a data breach in their system.
- Appropriate technical and organizational security measures:
Controllers should do appropriate information security based on the risk to the people, not the risk to the organization.
The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller,
- Notify regulator in the event of a personal data breach:
Data controller should notify the regulator within 72 hours of being “aware” unless risk to fundamental rights and freedom of data subject is unlikely.
Notification should include:
- A description of the nature of the personal data breach. For instance, what data is lost, how many records etc.
- Who to contact (name & contact details of the Data Protection Officer (DPO).
- Consequences of personal data breach to data subjects.
- Mitigation that controller might have taken.
- Document any personal data breach:
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
That documentation shall enable the supervisory authority to verify compliance with this Article.
- Notify data subjects in the event of a personal data breach:
This is required if breach means high risk to fundamental rights and freedom
It’s the responsibility of data controller to identify if the data breach is high risk or low risk. Controller can obviously contact lawyer to see if they have to notify data subject or not.
Next Steps: In the next part of this series, we will discuss about few things we need to follow as an IT team to comply with GDPR. Stay tuned!!