On May 25th the General Data Protection Regulation (GDPR) is fully enforceable. The new legislative package replaces the current Directive 95/46 (‘The Data Protection Directive’) and sets new European rules regarding data protection. Amongst others things, the package sets stringent rules regarding accountability for data controllers and data processors. As May 25th is rapidly approaching, now is the time to get your organisation to understand the General Data Protection Regulation.
As said before, the General Data Protection Regulation sets a legal framework for the processing of personal data. In order to do so, the Regulation sets preconditions and requirements that must be fulfilled in order to process personal data lawfully. Other than that, organisations must meet certain accountability principles. Furthermore, the General Data Protection Regulation strengthens the rights of the data subjects – the persons whose data is concerned. And lastly the competences of the supervisory authorities are expanded.
The so-called accountability principles are introduced in the General Data Protection Regulation in order to protect data subjects against the unlawful processing of their personal data. With possible high fines, the new requirements forces organisations to take personal data protection seriously within their organisation and their activities. It forces organisations, amongst others, to set up a processing activity administration, invent work processes that incorporate requirements such as designing with the principles of privacy by design and privacy by default.
In general, the requirements can be divided in the following subsets:
Obligations of your organisation towards the data subjects
Obligations of your organisations towards the supervisory authority
Rights of the data subjects
Competences of the supervisory authority towards your organisation
In this post we will focus on the obligations of your organisation towards the data subjects and the supervisory authorities. What does your organisation need to have in place in order to comply with the General Data Protection Regulation?
The obligations of your organisation towards the supervisory authorities can be summed up as follows and all find their legal basis in the General Data Protection Regulation:
- You must be able to demonstrate compliance with the General Data Protection Regulation;
- When a data breach occurs, you must notify the supervisory authority;
- For some processing activities it is required to execute Data Protection Impact Assessments (DPIA) to investigate the risks and mitigating measures in order to protect the privacy of data subjects;
- Under certain circumstances you must consult the supervisory authority prior to the processing of personal data;
- Appoint a data protection officer (DPO);
The obligations of your organisation towards data subjects can be summed up as follows and all find their legal basis in the General Data Protection Regulation.
- Use the principles of privacy by design and privacy by default;
- Make clear arrangements between joint controllers;
- Have your processor agreements in place, amongst others these must contain clear instructions for the processor;
- Keep records of all processing activities;
- In some circumstances you are required to notify the data subjects in case of a data breach;
As shown above, these requirements possibly touch every part of the organisation. From the IT departments to the legal departments, existing work processes might need to be adjusted in order to meet the requirements of the General Data Protection Regulation. If your organisation has not started already to get the necessary processes in place, now is the time to start. The GDPR-clock is ticking!