Accountability
The GDPR introduces the concept of accountability. Governance under the GDPR must be transparent. Data controllers and processors must put in place comprehensive but proportionate systems of governance.
Good practice tools such as privacy impact assessments and privacy by design are mandatory in some circumstances. Applying these methods helps to minimise the risk of data breaches. This is likely to mean more policies and procedures for organisations, though those with good governance will already have these in place. The accountability principle (Article 5 (2)) means you must demonstrate that you comply with the data protection principles and confirms that compliance is your responsibility.
To show compliance you will need to:
– have in place appropriate technical and organisational measures, such as policies, staff training and internal audits to demonstrate you comply.
– keep documentation and records up-to-date
– use measures which protect data by design and default
– appoint a Data Protection Officer (DPO) if necessary
Records of processing activities
In addition to your need to provide a clear and transparent privacy policy, if your organisation employs more than 250 people you will need to have additional internal records of processing activities.
If your organisation employs less than 250 people you need only retain records of activities related to higher risk processing, for example special categories of data or criminal convictions and offences.
What you need to record?
– the name and details of your organisation
– the purpose of processing
– the categories of individuals and personal data
– the categories of recipients of personal data
– details of transfers of data to third countries and the safeguards in place
– schedules of retained data
– your technical and organisational security measures
These records may be inspected by the regulator.
Data protection by design and default
You are obliged to have in place technical and organisational measures which show you have integrated security into your data processing. Your systems must be designed to have the minimum data necessary for the shortest duration possible to meet your obligations and legitimate aims. The design of your system must be such as to promote security.
Data protection impact assessments (DPIA)
You must carry out a data protection impact assessment when using new technology and processing is likely to result in high risks to the rights and freedoms of individuals. This is likely to occur where your processing is extensive including profiling and where the processing includes decisions which have legal consequences for individuals. It is also necessary when you process personal data relating to criminal convictions or offences.
The DPIA allow organisations to identify the best way to comply with the data protection obligations.
Do we need a Data Protection Officer (DPO)?
That depends. You will need to appoint a DPO if:
– you are a public authority
– you carry out large-scale systematic monitoring of individuals
– you carry out large-scale processing of special categories of data or data related to criminal convictions or offences
Any organisation can appoint a DPO. There are no specific qualifications needed, but they must have professional experience and knowledge of data protection. The role can be contracted out to external bodies and you can share a DPO with other organisations, such as within a group of companies.
Data protection breaches
The GDPR introduces a requirement for organisations to report some types of data breaches to the relevant authorities and sometimes to the individuals affected.
A data breach occurs when personal data is destroyed, lost, altered, disclosed to unauthorised persons or subject to unauthorised access.
If a data breach is likely to result in a risk to the rights or freedoms of individuals and if not dealing with the breach has a significant potential detrimental effect on individuals, then it must be reported.
An example may be where a loss of customer details places customers at risk of identity theft.
This will need to be assessed on a case-by-case basis. Where the breach results in a high risk to the rights and freedoms of individuals, then those individuals must be told directly of the breach.
In reporting a breach you must tell the supervising authority, in the UK, the ICO, the following information:
– the categories and approximate numbers of the affected individuals and records
– the name and contact details of the DPO if there is one. If not a senior person in the organisation
– the likely consequences of the breach
– the measures taken or being taken to deal with the breach and mitigate its effects
The supervising authority must be notified within 72 hours of the organisation learning of the breach. If it is necessary to notify the public, this must be done without undue delay. There are substantial fines of up to £10 million or 2% of global turnover for not reporting the breach.
To comply with these requirements you should put in place robust breach detection and reporting procedures which allow early decisions to be taken about any breach.
Transfer of data
To ensure consistent and high data protection standards the GDPR restricts transfer of data out of the EU to third countries or international organisations.
Strict conditions of transfer apply. These include adequate safeguards of data and the individuals affected must have effective and enforceable legal remedies after the transfer.