The GDPR brings many new rules and obligations. On the other hand it also adapts, specifies, eases, or removes many rules from previous privacy regulations.
As with previous privacy regulations, the GDPR distinguishes two types of organisations: data controllers (Article 4(7)) and data processors (Article 4(8)). It is very important to understand whether your company is a controller or a processor, because each has different obligations under the GDPR. In short, a data controller determines the purpose(s) and means of the processing of personal data, whereas a data processor processes personal data on behalf of the controller.
Let’s explore the most important obligations under the GDPR.
Obligations as a data controller
As a data controller…
- You must, of course, make sure you process personal data in compliance with the GDPR (Article 6(1)).
- You may only process personal data that is adequate, relevant and limited to what is necessary for the purposes for which they are processed (Recital 39).
- You should implement appropriate security measures to protect the personal data you process against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access (Recital 83 & Article 32).
- You should implement data protection measures, both during the planning phase of processing activities of personal data, and during the implementation phase of any new product or service. This is known as the principle of “Data protection by design” and “Data protection by default” (Recital 78 & Article 25).
- You are required to keep records on all your processing activities involving personal data (Recital 82, 89 & Article 30).
- Consider carrying out a Data Protection Impact Assessment (DPIA) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons (Article 35). Our next blog examines the DPIA in more detail.
- You may be required to appoint a Data Protection Officer (Article 37, 38, 39). A later blogpost will be dedicated to this newly introduced function.
- When working together with a processor, both you and your processor have to guarantee compliance with the GDPR. This must be made explicit in the contract between controller and processor.
- You should familiarise yourself with the rules on cross-border data transfers, as these are much stricter under the GDPR (Article 44-50).
- You have to report any incidence of a data breach within 72 hours to the authorities and to the affected data subjects (Article 33, 34).
Obligations as a data processor
As data processor, the most important rule is to process personal data according to your contract with the data controller, and in no other way (Article 29). Under previous regulations, data controllers could be held responsible for both their own actions, as well as for those of their data processors. Under the GDPR, processors are held accountable for their own actions.
If you are a data processor, heed the following:
- As with data controllers, you must implement appropriate security measures (Recital 83 & Article 32), keep records (Recital 82, 89 & Article 30), carry out Data protection Impact Assessments (Article 35), adhere to obligations regarding Cross‑Border Data Transfers, and possibly appoint a Data Protection Officer (Article 37, 38, 39).
- If you suffer a data breach, this must be reported to the controller “without undue delay” (Article 33). This timeframe should be specified in the contract with the controller, to make sure you are both on the same page as to what this means.
- If you want to use a sub-processor, you need prior written consent of the controller (Article 28(2) & 28(4)).
- If you believe that its controller’s instructions conflict with the requirements of the GDPR, you must immediately inform your controller (Article 28(3)).
- The controller has the right to do a security audit when it wants you to demonstrate compliance with the GDPR (Article 28(3)(h)).
Additionally, if a processor undertakes data processing operations for which there is no explicit consent by the controller, the processor is considered by law to be a controller itself, with all corresponding obligations and consequences.
What does this mean for you?
The next step for your company, regardless whether you are a controller or a processor, should be to check the personal data you already have, and how you are currently processing. Even the saving or keeping of data ‘for later’ is considered processing! Take a thorough look at the processes you currently employ. There is a chance they are in need of an update to be compliant with the obligations demanded by the GDPR. If this is the case, action is required.
In our next blog, we will continue our examination of the new obligations, by exploring the requirements and benefits of Data Protection Impact Assessments.