responsibilities and obligations
Topics to be covered
- accountability
- the role of the data protection officer
- the responsibilities of a data protection officer
- the responsibilities of the information commissioner
- why is gdpr law important for you and your company?
- data controllers and data processors under gdpr
- compliance deadlines and penalties
- summary
Accountability
One of the data protection principles is accountability. It means that you are responsible for complying with the GDPR . Part of being accountable is being able to demonstrate this compliance.
When organisations demonstrate accountability, it helps to provide mitigation in the event of any enforcement action. It does this because it shows that any risks have been considered and that measures and safeguards are put in place.
Accountability
Some of the measures organisations can put in place include:
→ enforcing data protection policies
→ using the ‘privacy by design’ model for the organisation
→ having written contracts with third parties for data processing
→ documenting all processing activities
→ having sufficient security measures
→ recording and reporting personal data breaches
→ having impact statements regarding the use of data that may lead to the risk of a data subject interests
→ appointing a data protection officer
Organisations must continue with accountability on an on-going basis. This means measures must be continuously reviewed and changed where necessary.
The role of the data protection officer
A data protection officer is a position all companies must fill when they handle the personal data of eu citizens, or if they are a public authority.
The role of the data protection officer is to ensure that companies and their employees comply with internal gdpr requirements.
They do this by identifying data protection risks and placing preventative measures to ensure the risks are properly dealt with.
Organisations can employ an existing employee to take the role of the data protection officer or appoint an officer externally.
The individual must be an expert in data protection to be able to perform tasks appropriately.
They must act independently and they must also be adequately resourced and report to the highest management level.
Having a data protection officer can help companies to demonstrate compliance, and is the key to focus on accountability.
The responsibilities of a data protection officer
To ensure that your company complies with GDPR, the data protection officer is responsible.
The GDPR states that the data protection officer’s responsibilities include:
→ training employees in compliance with data protection laws
→ regular security audits to ensure GDPR compliance
→ advice to companies on impact assessments
→ acting as a point of contact between companies and the supervisory authority (ico)
→ keeping organised records of all data processing that is handled by the company
→ communicating with data subjects and informing them of how their personal data is being used and how the company is protecting this data
→ responding to data subject requests such as requesting copies of the data or data erasure, and ensuring these requests are fulfilled)
Data protection officers must be easily accessible to employees.
They must also show regard to the risks associated with data processing and take into account the nature of the processing as well as the context and purpose of the data processing.
It is also important the data protection officers don’t carry out tasks that could result in a conflict of interest..
The responsibilities of the information commissioner
The role of the information commissioner differs from nation to nation. Here in the uk, it is the responsibility of the information commissioner’s office (ico) for enforcing data protection legislation.
The ico upholds information rights in the public interest, develops openness by public bodies, and provides privacy for an individual’s data.
They are also able to carry out:
1 investigations where data breaches have occurred
2 issue fines where appropriate
3 offering advice on GDPR compliance with organisations
The ico will also audit companies for their data collection and storage practices.
Why is GDPR law important for you and your company?
For a business, GDPR mean they will need to improve their security levels over the data they handle. Companies also need to make sure that consent is explicitly given when gathering data, and information must be disclosed on the purpose of gathering the data.
The GDPR is important to businesses as–
→ it helps them to protect eu data subject rights.
→ it identifies what companies that process personal data must do to safeguard the data subject rights.
→ it helps to safeguard data subject rights.
→ it reviews their business processes, applications and forms on a regular basis.
Companies can benefit from the GDPR as it provides guidance and best practice rules for businesses to follow regarding the processing of personal data. This is important, as there are tough penalties for organisations that fail to comply with GDPR, and companies are held liable for any data breaches that may occur.
There are benefits for companies who show that they value an individual’s privacy beyond that of legal obligations. Companies that are transparent about the data they use, and design and implement new and improved ways of managing customer data build deeper trust and retain more loyal customers.