With the new EU General Data Protection Regulation ante portas, companies handling personal customer data throughout the EU are set to face a considerable operational challenge. In fact, the GDPR extends compliance requirements to both data controllers and processors and is oriented towards establishing a modern and uniform data protection framework across the EU, reinforcing individuals’ rights and introducing a number of “data governance” concepts, especially in the area of data security.
Companies eager to move proactively and prepare well ahead of May 2018 need to proceed with a series of steps, such as mapping their data, conducting a due diligence review and implementing a robust response plan in case of data breach. The most important, they should redraft their privacy policies and nurture an inclusive personal data corporate culture, since conformity to GDPR is expected to be an ongoing obligation, demanding constant adjustments and a more hands-on approach.
A controller’s responsibilities summarily comprise:
- Carrying out data protection impact assessments (PIAs) when the type of processing is “likely to result in a high risk to the rights and freedoms of natural persons”.
- Assuring the effective protection of individuals, such as erasure, reporting and notice requirements, and maintaining records of processing activities.
- Duties towards the competent regulatory authority, such as consultation prior to processing and data breach notification. To this purpose, the appointment of a Data Protection Officer, who would mediate as a contact point – or a breakwater – between the company and the authority could play a vital role in ensuring maximum compliance.
Finally, a processor of personal data is not exempt from the regulatory ambit of the GDPR and is therefore burdened with a number of responsibilities, including:
- The pseudonymisation and encryption of the personal data processed on behalf of the controller,
- the ability to ensure ongoing confidentiality, integrity and resilience of its processing systems and services,
- the ability to restore access to personal data in a timely manner in the event of a malicious attack, or a physical incident, and
- a process for regularly testing, assessing and evaluating the effectiveness of its technical and organizational systems, thus demonstrating that it puts every reasonable effort into safeguarding the security of processing.