The new European General Data Protection Regulation (GDPR) broadens the obligations of those who are responsible for and in charge of data processing, the rights of the interested parties, and even includes a new figure, the Data Protection Officer. But who are the main organisations and individuals that are affected by the GDPR?
In the following post, we will address who these and the other protagonists are that define this European regulation, learning more about it just 10 days away from the date on which it becomes fully enforceable.
This post is also available in Spanish.
Table of contents
1.- Data Subject
The EU General Data Protection Regulation, approved in 2016 but not enforceable until May 25th, responds to an increase in cyberattacks and a search for collaboration between public and private entities in their quest to find a solution.
In this article, we will therefore try to describe the different roles and responsibilities that this important regulation outlines:
In the official English version of the Regulation, the term “data subject” is used to refer to individuals who are within the European Union whose data is processed.
This encompasses all natural persons, who can be distinguished as persons with rights in regards to the processing of their personal data.
Article 4 of the GDPR defines the person who is in charge of data processing as a natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purpose and means of the processing of personal data.
As the name indicates, they are responsible for the processing of personal data but also for its protection.
The key aspect here is “control”. Even if the data is not in the possession of the organisation, for the purposes of the GDPR, the organisation will be responsible for the data if it has control over the data.
The controller is responsible for determining the purposes for which the personal data is used and what privacy protection should be implemented. They are responsible for collecting personal data and determining the legal basis for doing so. They also determine how long to retain the data for.
The responsibilities of the controllers are established in Article 24 of the Regulation. They include:
- Implement the appropriate technical and organisational measures in order to guarantee the legal processing of personal data
- Implement adequate data protection policies
- Conduct a privacy impact assessment when necessary
- Adhere to the codes of conduct drawn up the supervisory authorities in the Member States (such as the ICO in the United Kingdom)
- Take into account data protection by design and default in processing activities
- Demonstrate compliance with the Regulation. Controllers can only appoint those processors who guarantee compliance with the GDPR requirements
The controller can appoint processors for various tasks.
These are natural or legal persons, public authorities or other bodies and organisations that process personal data on behalf of the controller. For example, the controller may have an external IT provider that determines where the data is stored and which technical controls are implemented. That IT company will be the data processor. Or, the controller may pass some personal data to a marketing agency for targeted email campaigns. That agency is a data processor in regards to campaign data.
Other examples of processors would be payroll processing companies, SaaS providers, Cloud service providers, or even companies that provide services related to the secure elimination of personal data.
In summary, any service provider that obtains access to personal data, controlled by the other organisation, is a data processor.
The GDPR has changed these provisions so that both data controllers and data processors are jointly and severally liable for guaranteeing the protection of personal data. Failure to comply with GDPR requirements can result in penalties for both controllers and processors.
As a result, the risks to data processors have increased significantly. The level of responsibility and compliance costs for data processors can also increase if, for example, controllers require the processors to acquire a safety certification or implement additional technical or organisational controls.
It is important that the personal data is always processed in accordance with a written contract, which must indicate:
- the subject matter
- the duration of the processing
- the nature and purpose of the processing
- the type of personal data to be processed
- the obligations and rights of the person in charge of processing the data.
Processors must also implement the appropriate technical and organisational controls. In addition, they must comply with the multiple requirements provided for in Article 28.
- Processing must be governed by a contract or other legal provisions that are binding for the processors
- Adhering to codes of conduct or certification mechanisms to demonstrate compliance
- Not involving other processors without prior authorisation from the controller
- If the first processor assigns other processors, the same data protection obligations will apply as those that apply to the first processor.
4. Data Protection Officer
The GDPR dedicates an entire section to this new figure given its relevance, popularly known as DPO.
In organisations, the DPO is a guarantor of compliance with the data protection regulations, without replacing the functions carried out by the supervisory authorities.
This figure is not mandatory for all organisations, only the following will be required to have an officer:
- public companies
- those that process data on a large scale or collect especially sensitive data or data that is related to criminal convictions or offenses.
Their functions are regulated in Article 39 of the GDPR, of which the following are the most important:
- Supervise the implementation and application of internal policies
- Staff training
- Organise and coordinate audits
- Manage the interested parties’ information and their requests as to the exercise of their rights
- Ensure record-keeping
- Supervise the implementation of the impact assessment
- Act as a point of contact for the supervisory authority.
Supervisory Authority: the independent public authority established by a Member State in accordance with the provisions of Article 51.
Concerned Supervisory Authority: the supervisory authority that is affected by the processing of personal data, because either: a) the controller or processor is established in the territory of the Member State of that supervisory authority; b) the interested parties residing in the Member State of that supervisory authority are substantially affected or are likely to be substantially affected by the processing, or c) a claim has been filed with that supervisory authority.
European Commission for Data Protection: the Commission is composed of a supervisory authority from each Member State (28) and the European Data Protection Supervisor. The role of the Commission will be to review what is working and what is not working, and to also give advice and guidance.
New roles have emerged with the GDPR, such as the figure of the DPO (Data Protection Officer), along with new responsibilities and more rights for users.
Thanks to the creation of this common legal framework, an extra security barrier has been created for the main corporate asset of many companies -personal data-, while also offering the data subjects themselves greater control over this data. So although at the moment it may seem like a challenge for the business sector, overall it is definitely a win-win for everyone.This post is also available in Spanish.