Controller obligations – GDPR imposes new and increased compliance obligations on controllers. They must implement appropriate policies, keep records of processing activities, adopt privacy by design and by default, do data protection impact assessments where necessary, review existing processor contracts, etc.
Processors – will need to comply with a number of specific obligations, including to:
maintain adequate documentation (Article 30);
implement appropriate security standards (Article 32);
carry out routine data protection impact assessments (Article 32);
possibly appoint a data protection officer (Article 37);
comply with rules on international data transfers (Chapter V); and
cooperate with national supervisory authorities (Article 31)
Consent is still valid as a lawful basis but it has become harder to obtain. So, organisations must review their processing purposes where consent was the lawful basis. e.g.:
are data subjects provided with a clear explanation of the processing to which they are consenting?
is the consent mechanism genuinely of a voluntary and "opt-in" nature?
are data subjects permitted to withdraw their consent easily?
has the organisation stopped using pre‑ticked boxes?
are there existing situations where consent might be considered as not having been freely given?
Data subject’s rights – the time limit to respond to subject access requests (SARs) is reduced from 40 days to 1 month. More information must be supplied in response to SARs. The fee structure has changed. The right to erasure (be forgotten) has a broader spectrum. Which also potentially impacts the right to restriction of processing. The right to data portability is new – so, how well are organisations able to respond? The right to object to processing imposes a new burden on organisations to demonstrate compelling grounds for continuing the processing – this has potential impact for organisations currently using ‘legitimate interests’ as a lawful basis. The right to object to processing for scientific, historical or statistical purposes – provides a more specific right to data subject than the Directive.
72-hour breach notification – organisations must report data breaches to the relevant supervisory authority within 72 hours of detection. Organisations will need to review their internal reporting structures to assess whether they are up to the task of responding to and managing incidents.
Appointing a Data Protection Officer – Public authorities as well as organisations that regularly and systematically monitor data subjects, or process sensitive personal data on a large scale, must appoint a DPO.
Existing operations – these should be reviewed to see whether any might now be considered ‘high-risk’; whether the processing purpose has changed; whether it now involves children; etc. and what the impact may be in terms of further compliance, review of security etc.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018