What does Article 24(1) require the controller to do?
“Implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary”
Requires a risk based approach
(In determining what is appropriate, it requires you to take into account the nature of the processing as well as the risks etc and rights and freedoms of natural persons)
What kind things should you be doing to demonstrate compliance with Article 24(1)
Nb - this applies to controllers, but processors have an obligation to help controllers comply
- Data protection by design and default
- DPIAs (where relevant)
- Keeping data processing records
- Appointing a DPO (where relevant)
Data protection by design (A.25)
What is meant by this concept?
- Build data protection into your products throughout their life cycles, specifically at the time of planning the means and type of processing and during the processing itself
- necessary safeguards should be integrated into the organisation’s systems. The GDPR specifically highlights data minimisation and pseudonym is action as privacy enhancing tools
- A data protection programme assesses the risks of a product and takes steps to mitigate those risks to meet the data protection by design requirements
Data protection by default (A.25)
What type of things are should you be doing to ensure this?
- Where a product or service provides users with multiple setting options, the most data protective settings should be the default. Users should have to opt-in to any setting that presents greater risks
- By default, a product or service processes only the personal data that is necessary. Considerations include:
- purpose of processing
- amount of personal data collected
- Extent of processing
- storage period
- accessibility
What are the two key functions of a DPIA?
- incorporating data protection considerations into organisational planning
- demonstrating compliance to supervisory authorities
DPOs are required to monitor the performance of DPIAs
When is a DPIA required?
- Article 35(1): if the processing is “likely to to entail a high risk to the rights and freedoms of natural persons” (risks should be considered from the PoV of the data subject and the supervisory authority)
- Consider the nature, scope, content, purpose, type of processing and use of new technologies
- New technologies which are less well understood increase likelihood of requiring DPIA
- large scale processing of SC data or criminal conviction data requires DPIA
- Also systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV?)
NB - WP29 and DPAs have also published lots of guidance on this
What does accountability mean in the context of GDPR?
It is one of the data protection principles
It makes you responsible for complying with the GDPR and says you must be able to demonstrate compliance
You need to put in place appropriate technical and organisational measures to meet the requirements of accountability
Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place
Implementing a privacy management framework can help you embed your accountability measures and create a culture of privacy
What does Article 30 require controllers to do?
“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility”
When recording your processing activities, what information does a data controller need to document?
Article 30:
- Name and contract details of controller (+DPO)
- Purposes of processing
- Categories of data subjects and categories of personal data being processed
- Categories of recipients to whom personal data is disclosed (inc recipients in 3rd countries or international organisations)
- Transfers of personal data to a third country (inc which country) and documentation of appropriate safeguards
- Where possible, the envisaged time limits for erasure of the different categories of data
- Where possible, a general description of the technical and organisational security measures referred to in Article32(1)
E.g. this is the stuff you’d document in Privacy Engine
When recording your processing activities, what information does a data processor need to document?
- Name and contact details of the processor and the controller on whose behalf you’re acting (inc controller DPO)
- Categories of processing carried out for the controller
- Transfers of data (inc appropriate safeguards where relevant)
- Description of the technical and organisational security measures
What things should you take into account when determining the appropriate technical and organisational measures to ensure a level of data security appropriate to risk?
Article 32, which focuses on security of processing provides that:
- The state of the art
- The costs of implementation
- The nature, scope, context and purposes of processing
- Risk of varying likelihood and severity fro the rights and freedoms of natural persons
Should be taken into account so that the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
(Note that although size of organisation may affect costs, it is not, by itself, a determining factor)
What kind of security measures should organisations put in place as part of efforts to ensure the confidentiality, integrity and availability of of the systems and services you use to process personal data?
What you put in place depends on your particular circumstances, but may include
- information security policies
- access controls
- security monitoring
- recovery plans
Which principle does pseudonymisation help you to comply with
Data minimisation
What is data protection by design?
An approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle
What is data protection by default?
This requires you to ensure you only process the data that is necessary to achieve your specific purpose.
It links to the fundamental data protection principles of DATA MINIMISATION and PURPOSE LIMITATION
Which principle does pseudonymisation help you to comply with
Data minimisation
What is data protection by design?
An approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle
What is data protection by default?
This requires you to ensure you only process the data that is necessary to achieve your specific purpose.
It links to the fundamental data protection principles of DATA MINIMISATION and PURPOSE LIMITATION
