GDPR introduces a number of roles and concepts you’ll need to understand:
- Personal data
- Data Subject
- Data Controller
- Data Processor
- Data Protection Officer
This is at the heart of GDPR. A task will fall under the scope of GDPR if:
Data being processed can be used either directly or indirectly to identify a ‘living natural person’
And: The data is collected, held or processed within the EU
Or: The data is being used to provide services into the EU.
Data Subject is a natural living person.
The main aim of the GDPR is the protection of the rights and freedoms of the Data Subject by:
- Providing the Data Subject with more control over their data
- Placing responsibility and accountability for the control of this data on the Data Controller.
So, think about who your Data Subjects are. Employees? Customers? Donors? Volunteers?
Under GDPR, Data Subjects will have the following rights:
- The right to be informed
- The right to rectification
- The right to restrict processing
- The right to object
- The right of access
- The right to erasure
- The right to data portability
- Rights in relation to Auto Decision Making (ADM)
A Data Controller (DC) is an entity who holds personal data on any Data Subject.
As a Data Controller the responsibility for the data you are borrowing is all encompassing. The loss of this data or unlawful access to it could result in:
- Administrative fines
- Unquantifiable PR damage
- Compensation and damages claims
The six data protection principles of the GDPR ensure that any personal data you (as the DC) process should be:
- Processed fairly, fully and transparently
- Collected for specified, specific and legitimate purposes
- Adequate, relevant and limited to what is necessary for processing
- Accurate and kept up to date
- In a form that allows that identification of Data Subjects for only as long as necessary
- Processed in a manner that ensures its security
The third role is that of the Data Processor. In some (many) situations the Data Processor may be the same entity as the Data Controller. If you designate a third party to process your data however, then things are more complex.
Examples of a Data Processor in this three way partnership situation could be:
- Outsourced payroll using your employee data to process salary payments and other admin
- A cloud-provider running analytics on your cloud-based data
- A marketing company completing trend analysis on data you have collected
Data Processors should only carry out the tasks they have been asked to perform by the Data Controller.
The details of this should be set out in a contractual agreement between the DC and the DP.
Data Protection Officer
Why would my organisation need a Data Protection Officer (DPO)?
Three situations would result in the required appointment of a DPO:
- Data Processing carried out by a public body
- Core activities requiring regular and systematic monitoring of data on large scale
- Large scale processing of special data categories
What does the role of DPO involve?
- Data Controllers and Data Processors must ensure active involvement of DPO in activities, from inception through to on-going operations
- Data Controllers and Data Processors must provide necessary resources to DPO
What would a DPO do?
- Inform and advise
- Monitor compliance
- Advise around Data Protection Impact Assessments (DPIA)
- Cooperate and liaise with Supervisory Authority
- Contact point for Data Subjects
- Manage risk associated with processing operations
This blog is a commentary on the GDPR, as we interpret it, as of the date posted. We’ve spent a lot of time learning about the GDPR and focusing on how it can be practically implemented. However, not all aspects and interpretation of the GDPR are as black and white as they perhaps should be, and no doubt will be in the future. Therefore, this blog is provided for informational purposes only and should not be relied upon as legal advice.
If you are concerned about implementing GDPR in your business, the good news is, we are here to help! We offer GDPR Compliancy, assessing your processes and systems in preparation for GDPR compliance and providing on-site staff training.