The overarching reference to demonstrating compliance can be found in the ‘accountability’ principle in Article 5, in which it states that the controller shall be responsible for and be able to demonstrate compliance with the other principles in the same Article – i.e. those of lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality. Article 42 goes further – providing for the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with the GDPR. A drill-down into the Recitals and other Articles provides the substance and clarity on how to uphold the principles.
In keeping with the appropriate language of regulation, the GDPR’s Articles’ use of ‘shall’ designates a requirement. The Recitals’ use of ‘should’ usually designates a recommendation and is meant to provide clarity to the binding Articles, rather than replace them. The mentioning of certain Recitals and Articles below are just some examples and not meant to be an exhaustive list applicable to any section. Some may not directly mention ‘demonstrate compliance’ but your demonstration will be obvious for example, by providing the mechanisms for data subjects’ access to their personal data.
Your compliance management app facilitates your compliance journey by either providing the relevant functionality – such as in managing subject access requests – or, the appropriate questions you must ask of your organisation – such as in the Compliance checklists. This article tends to follow the flow of the app.
Data Protection Officer
Article 37 – The controller and the processor shall designate a data protection officer where the processing is carried out by a public authority; the processing operations require regular and systematic monitoring of data subjects on a large scale; or there is processing on a large scale of special categories of data. You may appoint a DPO voluntarily or you may split the role of the DPO – with certain conditions
Consent – Article 7 – Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data
Security of Processing – Article 32 – the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
If you don’t know who your data subjects are, if you don’t have clear reasons why you process personal data, if you don’t know what makes your processing lawful, if you don’t know what data you are processing, where the data is processed and who is processing it – you will not be able to demonstrate any measure of compliance. You will also be at sixes and sevens when trying to respond to data subjects’ requests for access or to a security incident or breach.
Recital 78 – In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.
Recital 82 – In order to demonstrate compliance with this Regulation, the controller or processor should maintain Records of Processing Activities under its responsibility.
Recital 81 – To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees.
Data Sharing / Disclosure
Recital 61 – Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient.
Recital 63 – Every data subject should have the right to know and obtain communication in particular with regard to…the recipients of his or her personal data
Articles 14 & 14 – the controller shall provide the data subjects with the recipients or categories of recipients of the personal data, if any
Data Protection Impact Assessment (DPIA)
Recital 90 – In certain cases, a data protection impact assessment should be carried out…to assess the particular likelihood and severity of the high-risk processing. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation
Recital 63 – A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.
Article 15 – The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data
(85) As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018