GDPR for Controllers: Six things you should know (in six minutes)
The General Data Protection Regulation (GDPR) brings big changes for businesses collecting or processing customer data. To comply with the new legislation, it is crucial you understand where your responsibilities lie with the new legislation. In this blog, we present the six most important things a data controller should know about the GDPR. You can find our article for processors [here]. Refer to the table below to determine whether you are a data controller or a data processor.
This blog is a shortened version of our whitepaper ‘GDPR for controllers in ten minutes’. If you want a more detailed guide in addressing the GDPR, be sure to download it at our library.
- The GDPR is a regulation that (also) applies to processors
One of the seemingly innocuous, but very important differences between the GDPR and the privacy directive, is that the GDPR is a regulation instead of a directive. The regulation status of the GDPR means it exerts a legally binding force on all member states. Concretely, this means the regulation applies the same way across all EU Member states.
The other difference between the privacy directive and the GDPR, is that the GDPR holds processors responsible for processing data in a compliant way. Data processors are required to demonstrate compliance to GDPR regulation to avoid fines. Additionally, data controllers are only allowed to work with processors who provide sufficient guarantees towards doing so. This means your processors will likely be more motivated towards ensuring compliant processing, but it also highlights the importance of carefully selecting your processors.
- Compliance with GDPR-principles must be demonstrated
The GDPR contains several important principles that you need to understand and incorporate into your own business practices. Crucially, you will also need to actively demonstrate your compliance with these principles. The first set of principles concerns the data protection principles. These principles ensure processing is fair and transparent and that no unnecessary data is collected, processed or stored. Additionally, you’ll need to demonstrate lawful processing. This means that processing has to be based on one of the grounds for processing, such as consent or contracts. If you use consent as your processing base, you need to ensure it is through a freely given, specific, informed and unambiguous indication of the data subject’s wishes. Finally, you must make reasonable efforts to verify parental consent.
- The GDPR augments the rights of the subject
One of the reasons why the GDPR is a good regulation for data subjects, is that it improves upon their rights. It’s important that data controllers understand what rights data subjects have and ensure these rights are respected.
Under the GDPR, data subjects have the right to receive a copy of data being stored about them and can request data to be rectified or erased. They can also object to the processing of their data and withdraw their consent at any time. These are just a few of the rights a subject has, but they are enough to show the amount of power data subjects have over their data after you’ve collected it. Make sure you communicate these rights to your customers and respect them at all times for compliant processing and a good customer relationship.
- The GDPR is also about communication
The GDPR is not just about how you handle data, it’s also about how you deal with people. The regulation requires you to communicate with your data subjects in a concise and transparent manner regarding your data collection activities. Additionally, you need to provide customers with information such as about your company, processing purposes and contact details when collecting their data. Also, make sure you communicate requested information and any rectification or erasure of personal data to your customers. Finally, be prepared to inform your data subjects without undue delay of a personal data breach.
- GDPR-compliance requires focus on some key areas
The GDPR is a broad legislation, touching upon many different areas of data processing. Exactly which changes you have to make depends on the structure of your company and a full list of possible actions would be quite long. We have, however, compiled five key areas that you should focus on. See our whitepaper for an extended list of possible actions.
- In many cases you’ll have to Designate a Data Protection Officer and communicate their contact details to the supervisory body. Even when not required by the GDPR, appointing a DPO is a good idea. This data protection officer is involved in all issues relating to the protection of personal data and holds an independent position in the company.
- Implement appropriate technical and organisational measures to ensure appropriate security and demonstrate processing is in line with the GDPR regulations. You should also become familiar with the principles of data protection by design and default, implementing data protection principles in every part of handling customer data. Crucially, as a controller you should make sure your processors do so as well.
- If you employ more than 250 people, you are required to maintain written records of processing activities. These records must contain specific information (specified in the GDPR) and be made available to supervisory authorities.
- When working with a processor, make sure to enter into a written contract to specify processing activities and duration. Ensure this contract specifies important GDPR obligations, such as that processors are may only act on our instructions.
- carry out a Data Protection Impact Assessment (DPIA) prior to carrying out potentially high-risk processing, and seek the advice of its DPO while doing so. If you don’t take measures to mitigate the risk, supervisory authorities should be consulted.
- Non-compliance can have serious repercussions
We don’t want to scare you, but non-compliance with the GDPR can turn out to pose a big threat to your business. Under the GDPR data subjects have the right to lodge complaints about your data processing. Additionally, controllers are liable for damages caused by non-compliant processing and data subjects might have the right to receive compensation. Finally, fines of up to €20,000,000 or up to 4% of global turnover can be given to non-compliant organisations.
The GDPR is a complex legislation, and this blog by no means offers an exhaustive overview of its content. Cooperation between your legal department, IT department, upper management and outside professionals is key to getting to grips with the GDPR in time. At Datastreams.io we are happy to do our part, providing our Data Stream Manager and Consent manager. These solutions allow you to manage data streams and consent in your company in a comprehensive and structured way, so you can get one step closer to GDPR-compliance.