It is essential to learn the best practices and adhere to the guidelines to stay on the safe side when it comes to GDPR compliance. In the absence of this, you could bring heavy costs.
Under GDPR both controllers and processors must designate an officer for data protection to supervise their security strategies for data. The person in question must be located within the EU.
Definition of the Scope Regulation's Scope Regulation
Whatever the location of the company locates, GDPR will affect every company and organization which processes personal data on EU citizens. The regulation also broadens the territorial scope of the regulations to encompass all businesses that market goods or goods or EU citizens. New regulations are likely to force companies to conform to the guidelines in part because of the expansion of territorial coverage as well as the increased penalties for violations.
The GDPR provides two distinct types of data handlers: processors and controllers. Data controllers include individuals, authorities, and other entities that determine why and how to process personal data. Data processors are third-party organizations which process personal information on behalf of the controller. Examples of data processors are cloud server providers such as Tresorit or companies that provide email services like Proton Mail. As both data controllers and as processors are subject to specific rules.
Processing is the term used to describe any action that is performed with personal information. Processing can be performed using a variety of techniques, which include taking, recording or organizing data, storing it, changing or adapting the data, retrieving, consulting, sharing information through transmission, dissemination or making them available aligning or combining, restricting and erasing or eliminating. It can be done either manually or through automated methods. It is vital to understand the term "personal data" refers to any information relating to an known or identifiable natural person.
It is the responsibility of the company to ensure it has the right facilities to adhere to the laws, like budgets, staffing and personnel. The company must establish responsibilities and create accountability. It is crucial to establish data security and design systems with data protection in mind.
As an example, firms have to restrict the quantity of data that they hold about their customers and make sure that they only use it for the purpose specified. Information must be correct as well as up-to-date and stored only for the period of time required. They must also provide users with the ability to correct and access their personal data.
Companies that aren't registered within the EU, they must choose a representative that is accountable for the compliance of the GDPR. This could be a single employee in a smaller company, or an entire department in a major corporation. The GDPR data protection officer representative should be in a position to address requests from supervisory authorities and individuals who are data subjects on behalf the represented controller or processor as well as have a thorough knowledge of the GDPR.
The definition of the processes
Each organization that stores data or handles personal data needs be compliant with the GDPR. Anyone with any physical or online presence within the EU is covered, regardless the size. The regulations define two distinct types of handlers for data: "controllers" and "processors." Controllers are individuals who determine why and what data is processed. Processors are third parties that handle data on behalf of a controller. They could comprise cloud servers such as Tresorit and service providers for email, or the marketing technology companies. The GDPR increases the responsibility for processors to keep records and ensuring that they are current. It also expands their legal responsibility for any data breaches.
The majority of the time, data is considered personal under the GDPR if it is used to identify a person. Name, email address and telephone number, financial information and other identifiable details can be part of the. Companies can only process individuals' personal data when they have one of six lawful grounds. These include consent, fulfillment of a contract with the data subject, fulfilling a public job, vital interest or legitimate interest. Furthermore, subjects have to be given an explicit and clear explanation of the ways in which their data will be processed and have the option of withdrawing consent.
The GDPR also states that personal data should not be stored longer than essential to keep it. It is essential that companies set up a process that allows the deletion of certain kinds of data at regular intervals. Illegal interest isn't the same as a legitimate right. It is necessary to evaluate this on an individual basis.
A further aspect is that all information collected about individuals must be secure. It is essential for companies to be able recognize any breach or hack and put in place procedures to rapidly respond. Also, they need to have the ability to alert regulators of any breaches within 72 hours to ensure they can safeguard individual rights. It's crucial to be aware of what information you have as well as where it's kept and the risks it's exposed to. It also requires updating the security procedures and systems.
Identifying the Controllers
The word "controller" appears many times in the GDPR legislation and there's a good reason for it. It's the entity or person who decides what information to collect as well as what the data will be used for, and at times, whether that data will be distributed. It's also the one in charge of implementing and maintaining GDPR compliance. This is an enormous responsibility in the very nature of it.
The definition of controllers is a bit more complex though and there are certain requirements that must be met to make a person eligible. Article 4 no 7 of the regulation describes"controller" as "a natural or legal person government authority, agency or any other entity that, on its own or together with others, determines the reasons and ways for processing personal information."
If you're a company owner, and you're collecting the data of your employees to run payroll. You might hire an accounting software provider to oversee some specifics of the process, however, you are still the sole controller. You're the one who determines when, what and how to gather that data, and also responsible for putting together the legal grounds for this gathering.
If your company plans to act as a joint controller with an entity, then you'll equally be responsible for GDPR compliance and you must conclude an agreement laying the specifics of each responsibility. Keep records of your processing activities and think about the legal basis for processing as described earlier. If you are not in compliance with GDPR regulations You could be penalized.
It's good to know that most of these responsibilities are exactly the same that processors have to face. If you're unsure where your responsibilities lie you might want to read this infographic that explains the issue from Law Infographic that covers the primary responsibilities of a controller in some specifics. There's also a list on the kinds of information you may be handling.
Definition of Processors
Data processors are body, person or body which processes personal information for the control. Data processors' responsibilities encompass tasks that include collecting records, arranging, structuring, storage, alteration or retrieval, consultation sharing, sending or by other means making it available, alignment or combination of restriction, erasure, and destruction. Data processors have to demonstrate that they abide by the guidelines by the controller on the purposes and methods of processing personal information. The contract between controllers and processor should outline these specific responsibilities.
Controllers are required to work only with processors capable of meeting the requirements of GDPR compliance. The requirements concern the protection of personal data as well as their ability to prove they possess the necessary technical abilities, such as the encryption of information and pseudonymization for when it is needed as well as stable system uptime regularly scheduled testing, backups as well as the capability to react promptly in the event in the event of an emergency. Processing companies must also have certifications of their own compliance, which can aid controllers in convincing users that their activities are legally compliant.
The GDPR has brought about substantial amendments to the Directive, including the fact that processors now have their own obligations. This was not the case in the Directive. They are required to, for instance be cooperative with DPAs upon the request of DPAs and, in case they are given instructions that do not conform to EU laws or Member State legislation, notify the controller.
Another key change is that in the event that a processor has directly statutory responsibility for violations of the law It is now possible for data subjects to bring demands against the processor. It was previously unattainable, since processors had only been contractually accountable for their respective controllers.
In the end, processors are obliged to keep records of each processing step and report on these activities on demand. This is a major new responsibility, and it will require significant investments in record-keeping functions by processors, especially those who are currently outsourcing a portion or all aspects of their processing.