All European Union based companies will be Data Controllers, even if this may only be with regard to the controlling of their employee data. Organisations will have to take some of the following steps to prepare to become compliant with their obligations:
Review your data processing activities
Ensure that, as early as the planning phase and throughout the implementation process of a new product or service, that the processing activities are in accordance with the Data Protection Principles. This includes implementing the appropriate safeguards. This is a key aspect of the Privacy by Design principle of GDPR, which focuses on implementing the most privacy-friendly within a new service or product.
When appointing a processor, ensure that they are compliant with GDPR. The relationship between the two parties must be governed by a binding legal agreement in writing. The agreement shall contain the necessary terms and conditions to ensure: (i)the processors will act only on the documented instructions provided by the Data Controller; (ii)confidentiality, including from all the relevant personnel.
Keep records of your processing activities and be ready to be able to disclose them to the Information Commissioner’s Office if requested. The records should provide information as to: (i)the the purposes of their processing activities; (ii)the type of personal data and Data Subjects; (iii)the categories of recipients with whom the personal data may be shared; (iv)transfers of data outside the Data Controller’s country; (v)the data period; (vi)a description of the security measures implemented and applied to the processed data. When the Data Controller is an organisation with less than 250 employees there is an exemption to keep such records, unless the organisation is processing personal data of a high-risk nature.
Implement appropriate technical and organisational security measures to protect personal data. These measures may depend on the nature of the data processing and may include: (i)security testing; (ii)back-up facilities; (iii)regular reviews of security measures; (iv)encryption of personal data.
Report a data breach to the Information Commissioner’s Office(or the relevant data protection authority) within 72 hours of becoming aware of it. The Data Controller does not have an obligation to report the data breach when it is unlikely it will result in any harm to data subjects. In the report, the Data Controller should include: (i)a description of the data breach, the data subjects and personal data affected; (ii)the contact details of the Data Protection Officer or other relevant contact; (iv)the likely consequences of the data breach; (v)the measures taken by the Data Controller to mitigate or remedy the breach. Records with the information above must be kept for all data breaches.
When the data breach causes high risk to data subjects, the Data Controller must notify them without undue delay. The notification should include: (i)the contact details of the Data Protection Officer or relevant contact; (ii)the likely, foreseeable consequences of the data breach; (iii) the measures taken by the controller to remedy and mitigate such risk. The Data Controller is exempt from notifying the affected data subjects when: (i)the risk of harm is remote and the data is protected; (ii)the Data Controller took measures to protect the data subjects and personal data from harm; (iii)the notification requires a disproportionate effort.
The responsibilities of a non-EU Data Controller or a Joint Data Controller may be different from the ones above. For more information please contact your legal representative.
This information is provided for guidance and cannot be classified as official legal advice. For official direction related to your obligations under GDPR, please speak to your legal counsel.