Controller and processor responsibilities, a crucial part of the GDPR

Share this…

Some considerations on controller and processor responsibilities and other concepts present in the European data protection law, such as DPIA and DPO

The application of the European Union’s General Data Protection Regulation (GDPR) began in May 2018. Since then, organizations are working on compliance with the high security standards demanded by GDPR, considered to be the most stringent privacy and data protection act so far.

According to cybersecurity and digital forensics experts from the International Institute of Cyber Security, one of the key issues addressed by GDPR is the responsibility of data controllers and processors, which we will discuss below.

Government responsibilities

  1. Accountability and governance

This is one of the basic principles of GDPR, considered experts in digital forensics. It establishes that, as an organization, a data processor must be able to demonstrate that the processing is done according to the requirements of GDPR.

  1. Data protection by default and by design

As an organization, the controllers must comply with different measures:

  • Starting from data protection as the core of security designs. In an IT company, there must be data protection methodologies throughout all its developments, business architecture, etc.
  • Implement appropriate technical and organizational measures to ensure that, by default, only the personal data required for each specific purpose of the process is processed.
  • Minimize stored data and consider using pseudonyms. This can be accomplished by asking some simple questions like:
    • Does your organization really need this data?
    • Do you need it to be personal?
    • Is it absolutely necessary to use these data?
    • Are the data visible only to those who really need to see them?
  1. Records of processing activities

In an organization with over 250 employees, controllers must keep a record of processing activities:

  • What data are processed and why?
  • How long will it be processed and stored?
  • To what kind of organization these data are disclosed, including recipients in other countries or international organizations.
  • In addition to digital backup, there must be a physical record of processing
  • This is mandatory because the regulators can request this data.
  1. Cooperation with the regulatory authorities

The controllers, processors and their representatives shall cooperate, upon request, with the supervisory authority for the fulfillment of the GDPR.

Data processors

  • When processing is performed on behalf of a controller, the controller will use only processors that offer sufficient guarantees to implement appropriate technical and organizational measures.
  • The processor will not co-operate another processor without the specific or general written prior authorization of the data controller.
  • Data processing will be governed by a contract or other legal act linking the processor and controller.
  • The contract, or legal act, shall stipulate, in particular, that the processor:
    • Shall handle personal data only in the documented instructions of the controller. Processors should do nothing more than the driver indicates.
    • Will ensure that persons authorized to process personal data work under a legal obligation of confidentiality.
    • Will help the controller through appropriate technical and organizational measures taking into account the nature of the processing.

Data Protection Impact Assessment (DPIA)

This is a risk assessment, considered experts in digital forensics and cybersecurity. DPIA is required under the following scenarios:

  • Processing and profiles design with significant effects.
  • Large-scale special category data.
  • Systematic monitoring of public access areas.

What should there be in a DPIA?

  • The full description of the processing.
  • If this process is required.
  • Possible risks to fundamental rights and freedom of stakeholders.
  • Risk management: If a risk occurs, how can the data controller act?

It will always be advisable, when we are starting a new project or a new application, to perform a DPIA. It can give us more information on how to manage, protect, and store controller data.

Data Protection Officer (DPO)

You will need a DPO if:

  • You are a public authority.
  • You conduct systematic monitoring of large-scale data subjects.
  • You process a large amount of special category information or criminal records.

What tasks must the DPO accomplish?

  • Advice
  • Monitoring compliance with GDPA
  • Driving the DPIA

Security Incidents Notification

Although your organization meets all GDPR standards, a security breach can still happens. This section discusses what to do if a driver is aware of a data breach on a system.

  1. Appropriate technical and organizational security measures

Controllers must comply with appropriate information security policies based on the risk to people, not the risk to the organization.

Both the controller and the data processor must take steps to ensure that any natural person acting under the authority of the controller or the processor that has access to the personal data does not process them, except in accordance with the instructions of the controller.

  1. Notify the regulator in the event of a violation of personal data

The data processor must notify the regulatory authorities within 72 hours after the data breach is discovered.

  1. Notify data subjects in the event of a violation of personal data

It is the responsibility of the data controller to identify whether the security breach is high or low risk. The data processor will be able to contact a lawyer to see if they have to notify the subject of the data or not.