Understanding GDPR: Controller and Processor Responsibilities

In the previous posts of this series, we talked about GDPR, why it's needed, GDPR key principles, and data subject rights.

Today, we will talk about controller and processor responsibilities, what is a DPIA (Data Protection Impact Assessment), and the role of DPO (Data Protection Office).

Let’s get started.

Controller and Processor Responsibilities

This is the third most important topic of GDPR requirements, after GDPR principles and data subject rights.

Governance Responsibilities

1. Accountability and governance:

This is one of the core principles of GDPR. It states that, as an organization, controllers should be able to demonstrate that processing is performed in accordance with this Regulation.

Controllers and processors should ensure and demonstrate processing in accordance with GDPR, meaning that there are written policies.

2. Data protection by design and default

As an organization, controllers should:

• Build data protection as one of the cores in their design. In an IT firm, there should be data protection methodologies in software development lifecycle, business architecture, etc.
• Implement appropriate technical and organizational measures for ensuring that, by default, only personal data that is necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility.
• Minimize data and consider options for pseudonymization. This can be achieved by asking few simple questions like:
  • Do you need this data (field, record)
  • Does it need to be personal?
    • Really see if the data use is absolutely necessary?
    • Think about access control. Data should be only accessible to those who really need to see it.

3. Records of processing activities

For an organization of over 250 employees, controllers need to keep a record of processing activities:

• What data is processed and why (the purpose of processing)?
• What’s the retention period?
• The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations.
• The records must be in writing (they can also be electronic)
• This is a must because this data can be requested by regulators.

4. Cooperate with supervisory authorities (regulators)

The controllers, processors, and (where applicable) their representatives shall cooperate on request with the supervisory authority in the performance of its tasks.

Data Processors

• Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures.
• The processor shall not engage another processor without prior specific or general written authorization of the controller.
• Processing by a processor shall be governed by a contract or other legal act that is binding on the processor with regard to the controller.
• The contract, or legal act, shall stipulate, in particular, that the processor:

1. Processes the personal data only on documented instructions from the controller. Processors must do nothing else than what is instructed by the controller.
2. Ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
3. Must assist the controller by appropriate technical and organizational measures considering the nature of processing
4. At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing and deletes existing copies unless there is a legitimate reason for storage of the personal data
5. Makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in GDPR and allow for and contribute to audits, including inspections conducted by the controller or another auditor mandated by the controller.

• Controllers must manage a processor with which it has a legal contract.
• The processor should keep data secure and make sure persons responsible for the processing of personal data are bound by confidentiality.

Data Protection Impact Assessments (DPIA)

It is actually a risk assessment. Primarily, DPIA is mandatory if we are doing one of the following:

1. Processing and profiling that causes significant effects
2. Large-scale special category data
3. Systematic monitoring of publicly accessible area on a large scale

What’s in a DPIA?

• The full description of the processing
• Whether it is necessary and proportionate
• Risks to fundamental rights and freedom of data subjects
• Risk treatment: in an event of a risk occurrence, how can a controller deal with it? Avoid, reduce, accept, transfer.
• Consult regulators if no treatment available.

To conclude, it's always good to perform a DPIA when we are starting a new project or new application. It can give us more insights into how to manage, protect, and store our data.

It also gives some kind of assurance to the regulators that controllers are taking GDPR seriously and actually trying to protect the fundamental rights of the data subjects concerning their data.

Data Protection Officer (DPO)

You need a DPO when:

• You are a public authority.
• You are doing a lot of systematic monitoring of data subjects on a large scale.
• Large amounts of special category or criminal activity data are processed.
• DPO Can be outsourced or it can be someone from your organization.
• DPO needs to be competent

What tasks does a DPO need to do?

• Advise
• Monitor compliance
• Help and conduct DPIAs
• Point of contact for the regulator
• Be the subject matter expert

It is essential that DPO is pragmatic and risk-aware.

Security and Breach Notification

Despite taking all security measures to protect personal data of data subjects, there can still be a data breach. This section is all about what should be done in case a controller becomes aware of a data breach in their system.

1. Appropriate technical and organizational security measures:

Controllers should do appropriate information security based on the risk to the people, not the risk to the organization.

The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller,

2. Notify the regulator in the event of a personal data breach:

The data controller should notify the regulator within 72 hours of being "aware" unless risk to fundamental rights and freedom of data subject is unlikely.

Notification should include:

1. A description of the nature of the personal data breach. For instance, what data is lost, how many records, etc.
2. Who to contact (name and additional contact information of the Data Protection Officer (DPO).
3. Consequences of personal data breach to data subjects.
4. Mitigation that controller might have taken.
5. Document any personal data breach:

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action is taken.

That documentation shall enable the supervisory authority to verify compliance with this Article.

3. Notify data subjects in the event of a personal data breach:

This is required if breach means high risk to fundamental rights and freedom

It's the responsibility of data controller to identify if the data breach is high risk or low risk. The controller can obviously contact a lawyer to see if they have to notify data subject or not.

In the next part of this series, we will discuss a few things we need to follow as an IT team to comply with GDPR. Stay tuned!