The EU GDPR (General Data Protection Regulation) places many obligations on organisations that process personal data – which is pretty much all of them.
Unsurprisingly, that can feel overwhelming.
If you need a bit of help understanding what you need to do to comply with the Regulation, this blog provides a summary of ten key GDPR requirements:
- Lawful, fair and transparent processing
- Limitation of purpose, data and storage
- Data accuracy, integrity and confidentiality
- Data protection impact assessment
- Privacy by design
- Controller–processor contracts
- Data subject rights
- Data protection officer
- International data transfers
- Personal data breach reporting
1. Lawful, fair and transparent processing
The first data protection principle (in Article 5) demands that organisations document a lawful basis, such as legitimate interest or consent, for processing personal data.
Data subjects must also be aware of what personal data you’re collecting and why you’re collecting it. Many organisations communicate that information via a privacy notice, though you can choose a different method.
Your processing activities must also be fair – that is, not unduly detrimental, unexpected or misleading to data subjects.
2. Limitation of purpose, data and storage
The second, third and fifth data protection principles reflect another key tenet of the Regulation: that you minimise your personal data collection and processing.
You must:
- Only collect and process personal data for specific, declared purposes (‘purpose limitation’);
- Minimise the amount of personal data you collect and process (‘data minimisation’); and
- Destroy personal data you no longer need (‘storage limitation’).
3. Data accuracy, integrity and confidentiality
The fourth and sixth data protection principles are about data accuracy and data security.
Specifically, you must ensure that personal data you hold is accurate and complete, otherwise it’s not fit for purpose. If a data subject points out an inaccuracy (by exercising their rights – more on that below), you must correct it.
You must also implement technical and organisational measures to keep the personal data you’re holding and processing secure (Article 32). The Europrivacy
/® certification scheme outlines concrete checks and controls to ensure your measures are appropriate and adequate.
4. Data protection impact assessment
DPIAs (data protection impact assessments) help organisations identify and minimise risks to data subjects’ rights and freedoms in data processing activities.
The GDPR mandates them for high-risk processing activities. For specific examples of such activities, the Article 29 Working Party guidelines, which are endorsed by the EDPB (European Data Protection Board), are a good place to look.
Article 35(3) of the GDPR also elaborates, specifying that a DPIA is most likely required for:
- Systematic and extensive automated processing, on which significant decisions are based;
- Processing sensitive data or criminal offence data on a large scale; and
- Systematic monitoring of publicly accessible places on a large scale.
5. Privacy by design
Privacy (and data protection) by design is an approach in which you consider and integrate data privacy and protection from the earliest stages of a project and maintain them for the duration of the project’s lifecycle.
The steps you take, typically in the form of risk-appropriate technical and organisational measures, should ensure that data privacy and protection become part of business as usual.
The concept of ‘privacy by design’ isn’t new but has attracted more attention in since the GDPR mandates it in Article 25 (‘data protection by design and by default’).
The idea is that the technical and organisational measures required under Article 32, as well as the data protection principles, are integrated into your processing activities from the get-go.
6. Controller–processor contracts
Article 28 contracts, between controllers and processors, are another important but overlooked aspect of GDPR compliance.
They must clearly identify, among other things:
- The controller;
- The processor; and
- The processor’s responsibilities for data processing and security.
Article 28(3) provides more detail on what the contract must stipulate, including that the processor:
- Only processes personal data on documented instructions from the controller;
- Takes appropriate security measures as per Article 32; and
- Returns all personal data when the contract ends.
7. Data subject rights
Chapter III (Articles 12–22) lays out eight data subject rights, which individuals may exercise:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making, including profiling
These rights aren’t all absolute, but if you don’t accommodate them, you must still respond to data subjects within one month. This includes DSARs (data subject access requests).
8. Data protection officer
A DPO (data protection officer) is an independent data protection expert who:
- Advises on the GDPR requirements;
- Monitors the organisation’s GDPR compliance;
- Assists with some aspects of data protection; and
- Acts as a point of contact for supervisory authorities.
The requirements for a DPO are laid out in Articles 37–39, including when to appoint one:
- You’re a public authority or body.
- Your core activities require regular and systematic monitoring of data subjects on a large scale.
- Your core activities involve large-scale processing of sensitive personal data or data relating to criminal convictions or offences.
9. International data transfers
The GDPR sets a high standard of data protection, but its scope is limited to organisations based or operating in the EU. Chapter V (Articles 44–50) therefore restricts international transfers – transfers outside the EEA – unless appropriate safeguards are in place.
Ideally, you’d rely on an adequacy decision. This is granted to approved third countries deemed to have a high enough level of data protection. Here’s a full list of countries.
You can freely transfer personal data between the EEA and countries with an adequacy decision.
For non-adequacy countries, BCRs (binding corporate rules) are the best option if you’re an international organisation. These are effectively a contract that all entities within a global organisation must sign to allow the free flow of data between all entities.
If you can’t rely on either adequacy or BCRs, SCCs (standard contractual clauses) are your best bet. These are model contractual clauses, available on the European Commission website, that comply with Article 28 if you use them without amendment.
10. Personal data breach reporting
Data breaches can happen despite your best efforts.
Should you suffer one, and the breach presents a risk to the rights and freedoms of data subjects, the GDPR (Article 33) requires the data controller to report it to its supervisory authority within 72 hours of becoming aware of the breach.
The controller must also notify affected data subjects “without undue delay” if the risk to their rights and freedoms is high.
Should a data processor become aware of the breach, it must notify the data controller, also “without undue delay”.
The post 10 Key EU GDPR Requirements appeared first on IT Governance Blog.
