Data Subject (DS)
This is any EU resident (and still applicable after Brexit) who has personal data stored at some
organisation or third party either on a computer system or through paperwork.
Data Controller (DC)
Person, public authority, agency or
other body who is accountable for compliance to GDPR. Article 24
Data Processor (P)
Person, public authority, agency,
or other body or third party which processes personal data on behalf of the data controller.
Supervisory Authority (SA)
Oversees and ensures compliance of the legislation in each EU member state. (Ico in UK)
Data Protection Officer: (DPO)
Responsible to oversee that DC is compliant. Article 37
Personally Identifiable Information: (PII)
Names, addresses, email addresses, IP Addresses, photos of persons resident in the EU.
Under GDPR, the DS can be granted certain rights from the DC:
What about the DPO?
- Ability to view what PII data is being used, where it is held, how it is stored, for what reason, duration held.
- Request an electronic copy of data from the DC. A response with the data or an acknowledgment is required within a month to a maximum of three months.
- View contact details for a DC
- To explicitly grant consent for processing of data to the DC
- To explicitly revoke consent for storage or processing of data to DC
- To explicitly request deletion of data from DC or third party of the DC
- Required for all public authorities or bodies: councils, government departments, the health sector, schools, emergency services.
- Most likely mandatory for private companies that carry out public functions or deliver public services in the area of water, transport, energy, housing or whose core business revolves around PII data.
- Required to have expertise in national and european data protection laws and practices and an in depth understanding of the GDPR.
- Contact point for the SA (ICO)
- Report at board level of organisation.
- Cannot have conflict of interest with organisation or be under undue pressure from organisation in carrying out duties.
What steps does the DC have to do to move to GDPR compliance?
- Understand and identify PII: names, email addresses, phone numbers, home addresses. Article 4 -1
- Only use the minimum data for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Inform the DS of the intended purpose of processing PII and the legal basis for processing
- Use every reasonable step to ensure the data is accurate, or rectify inaccurate PII without undue delay upon request from DS
- Locate and provide PII on demand to the DS in a human readable understandable form
- Seek out recorded consent for storing or processing PII from the DS.
- Delete PII upon the request of DS
- Transfer the PII to another DC at the request of the DS
- Request key information to confirm the identity of the DS
- Optionally archive the PII, if in the public interest
- Inform the DS of the recipients of PII
- Inform the DS of the recipients of how PII is categorized
- Inform the DS where applicable, the fact that the controller intends to transfer PII to a third country or international organisation
- Inform the DS the right to lodge a complaint with a SA
- Inform the DS of further processing of PII for other purposes
- Make reasonable efforts to verify parental consent
- To maintain written records of processing activities, which must contain the information specified - if greater than 250 employees.
- If necessary, appoint an employee or third party DPO
- Not influence the DPO in his/her duties
- Provide due diligence of third parties processing PII.
- Provide identity and contact details of the DC or representative to the DS.
- Provide identity and contact details of the DPO.
- Inform DS if necessary that a breach has occurred, with 72 hours of discovery
- Track the steps taken in dealing with a breach incident
- Provide evidence that corrective action is taking place to move back to GDPR compliance
For further reading click here
So how does this work out in practice for an organisation?
Each organisation subject to GDPR has until 25th May 2018 to implement both internal and external infrastructures and processes to move to GDPR compliance. As expected, external infrastructures and processes are expected to revolve around interaction with EU residents.
The big blue chip companies will most likely have an IT Department and teams of developers who can create the supporting infrastructure, or they have the revenue to bring in a third party or completely outsource.
What about local councils, schools, or small organisations that have little or no IT support?
If they are wise then they should be planning now to outsource as much as possible. to companies that can provide components of this service.