GDPR: A Comprehensive Data Protection Regulation and its Impact on Individuals and Business Worldwide: Part III Compliances for Businesses

Aastha Tandon
Follow Me

Aastha Tandon

Founder/ Designated Partner at Perennial Publication LLP & Consultant at Aceaero Consultants LLP
Aastha Tandon is a Legal Consultant and Entrepreneur apart from being a poet whose literary expression is found in her book 'A Maiden Attempt'. A lawyer by day and poet at heart she loves to read and write. Her work captures human emotions and weaves a fictional world around the user.
Aastha Tandon
Follow Me
Rate this Article

Part III of this Series article discusses the obligations of Data Controllers and Data Processors or Business entities that are storing, processing or using personal data of individuals or data subjects 

Part III Steps to be taken by organization (processing and/or controlling data) to be compliant with GDPR

Which organisations are required to comply with GDPR?

GDPR is applicable to organisations located in the EU as well as outside EU, if they are:

  • offering goods or service to EU Data Subjects/Individuals, or
  • monitoring the behavior of EU Data Subjects/Individuals.

All companies that are processing and/or holding the personal data of data subjects residing in the EU are required to comply with GDPR, regardless of the company’s location.

Thus, GDPR has an extra-territorial application.

Essential Steps to be taken by Organisations:

  • Review its data processing activities and align them with the requirements specified under the GDPR.
  • Assess the existing data processing systems to estimate the necessary technological updates, policy changes to be made and the amount of expenditure that would be required to implement the same.
  • Update the company privacy policies and assign responsibilities to the employee who shall performs the role and responsibilities of a Data Privacy Officer
  • Include a mechanism to regularly check the security and process of data processing, transfer and other ancillary procedures.
  • Implement Training Programs to train employees regarding the new changes and procedures to be followed. Special care needs to be taken to train employees on how to respond to data subject queries in a quick, recognized, and appropriate manner.
  • Ensuring an appropriate procedure to identify, inform and take damage control measures in case of a data breach.
  • Ascertain data processing activities for which it holds the responsibility of a controller and accordingly understand those responsibilities to comply and execute them.
  • Similarly, ascertain the data processing activities for which it is the data processor and accordingly understand and carry out those functions.
  • At regular intervals review and conduct an audit of the data processing activities to ensure compliance and review procedures to make them better.
  • Adhere to the Code of Conduct, Guidelines on Impact Assessment (WP 248), Guidelines on Data Protection Officers (WP 243), and Code of Conduct by non-EEA (non- European Economic Area)  controllers and processors.

Responsibilities of a Controller of an Organization:

  • The data controller must comply with the Data Protection Principles which are as follows:
    • The data being processed should be done in a fair, lawful and transparent manner.
    • The data collected should be used for legitimate purposes and should not be used for a new, incompatible purpose.[i] For instance, any personal data being processed for scientific, archiving, historical or statistical purpose shall be permitted if additional safeguards such as including pseudonymisation[ii] or any other similar tool has been implemented to increase security measure and such data cannot be used for another purpose except as mentioned above.
    • Data minimisation needs to be observed by limiting processing data which is necessary. A careful review needs to be carried out to determine the same.
    • Maintain accuracy of the data collected and processed.
    • Determining the retention period of personal data to ensure fair processing. This principle has to be read with the right to be forgotten available to data subjects.
    • Ensure data security by implementing necessary technological and procedural tools to secure the personal data against external threats (such as hackers having malicious intent) and internal threats (non-trained employees or irresponsible employees).
    • The controller must be accountable and be able to demonstrate compliance with these principles.
  • In case of a non-EU data controller, it is mandatory to appoint a representative from the EU Member State to which the controller is offering goods or services or monitors EU Residents. (This compliance is not necessary if the processing is occasional, small-scale and does not involve Sensitive Personal Data.)[iii]
  • Appointment of Processors by the controllers must be done after a comprehensive assessment of whether the processor guarantees compliance with the GDPR.  The processor must:
    • Act only on the controllers prescribed and documented instructions;
    • Impose confidentiality obligations on all personnel who process the relevant data
    • Ensure security of the data being processed
    • Abide by the rules concerning appointment of a sub-processor
    • Implement procedures and measure to assist the controller with the rights of individuals or data subjects
    • Provide assistance in obtaining requisite approval from the data protection authorities where required
    • At the controller’s election, either return or destroy the personal data at the end of the relationship (except as required by EU or Member State law) and
    • Provide the controller with all the necessary information with necessary demonstrate compliance with the GDPR.
    • Maintain records of the controllers processing activity. And upon request, these records should be disclosed to the data protection authorities
  • On receiving a request, the Controller must cooperate with the Data Protection Authorities.
  • The data controller should implement security measures depending on the nature of processing, these measure may include:
    • Encryption of the personal data
    • Ongoing review of security measure
    • Redundancy and backup facilities and
    • Regular security testing
  • Reporting data breaches to the Data Protection Authority within 72 hours of becoming aware of such a breach, without any delay, via a notification.[iv]
  • Similarly, the data controller must notify[v] the affected data subjects of the breach without undue delay.

It is pertinent to note that a data processor has similar obligations as the data controller. In case of a breach, the processor is required to report the data controller without undue delay.

Thus, it can be observed that the obligations of the organisations have substantially increased. They are more accountable and need to implement advance security measures to comply with the GDPR requirements.

End Notes:

[i]Chapter 6: Data Protection Principles – Unlocking the EU General Data Protection Regulation, Dr. Detlev Gabel and Tim Hickman, last seen on 29th April 2018

[ii] Pseudonymization is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. To read more details about Pseudonymization please see this link last seen on 29th April 2018

[iii] Chapter 10: Obligations of controllers – Unlocking the EU General Data Protection Regulation, Dr. Detlev Gabel and Tim Hickman, last seen on 29th April 2018

[iv] The notification must include at least:

  • a description of the data breach, including the numbers of data subjects affected and the categories of data affected;
  • the name and contact details of the DPO (or other relevant point of contact);
  • the likely consequences of the data breach; and
  • any measures taken by the controller to remedy or mitigate the breach.

The controller must keep records of all data breaches, comprising the facts and effects of the breach and any remedial action taken.

[v] The notification must include at least:

  • the name and contact details of the DPO (or other relevant point of contact);
  • the likely consequences of the data breach; and
  • any measures taken by the controller to remedy or mitigate the breach.

However, the controller may be exempt from this requirement if:

  • the risk of harm is remote because the affected data are protected (e.g., through strong encryption);
  • the controller has taken measures to protect against the harm (e.g., suspending affected accounts); or
  • the notification requires disproportionate effort (in which case the controller must issue a public notice of the breach).

You must be logged in to post a comment.