11 February 2020
The GDPR came into effect in May 2018, and it changed the role of the data controller - the person or organization responsible for data collection and storage.
If it were possible to sum up the new role of the data controller in one word, the word would be relevant. The data collected, processes used to obtain it, and security used to store it must all be relevant to the reason you collect the data in the first place.
The GDPR didn't reinvent the wheel for data controllers. Instead, it built on existing privacy and security practices to create a more robust and unified framework. Its goal was to place data protection on the pedestal the EU Commission believes it deserves to better protect European citizens. It's not just about data subjects. It also builds trust between businesses and their clients.
Do you know what it means to be a data controller in the new GDPR world? Keep reading to learn the:
The GDPR covers data controller requirements in Chapter 4 in sections 24 through 43.
A data controller is a person or organization responsible for overseeing and using the personal information collected and stored on company computers or servers. According to the law, the role refers to:
Are you a data controller? If you're not sure, ask yourself the following questions:
If the answer is yes, then you are a data controller.
Remember, a data controller doesn't need to be a person. In many cases, it isn't a specific job title but a set of duties integrated with all data collection and protection processes.
Your overarching mission as a data controller is to ensure compliance with data protection and privacy laws and now the GDPR.
Data controllers are responsible for meeting a number of legal obligations when processing data. Those obligations vary in complexity both according to the amount and type of data you use as well as by state and country.
One way to break down the role of the data controller is to look at the suggested practices. Because the GDPR doesn't provide an exact guide to follow, governments and other bodies have come up with practices they believe suit both the GDPR and their own laws.
The Office of the Data Protection Commissioner of Ireland did just that with its Guide for Data Controllers. The guide includes "Eight Rules of Data Protection" that controllers are to follow.
The rules are:
Once you understand these principles, it's easier to see where your role lies and what regular tasks and responsibilities are involved in upholding the new guidance provided by the GDPR.
Let's break down these tasks rule-by-rule:
It's your job to ensure that individuals know why you are collecting their data at the time when the data is collected. It's not enough to let them know you collect data;. Data subjects must also be made aware of:
As a rule, you also need to inform data owners if third parties have any access to their information and any secondary uses must also be outlined.
You need a named reason to collect and keep the data, and the reason must be lawful and explicitly stated.
According to the law, there are six lawful bases for the collection of data in Europe:
How do you comply?
Are your data controlling methods in line with your stated purpose?
Test the compatibility by reviewing your processes and asking of each:
Remember that this also applies to the data processor who deals with the data on your behalf.
As a data controller, you are responsible for ensuring that appropriate security measures remain in place and up-to-date to prevent inadvertent disclosure of the data collected.
High standards of security are a given, but the security also needs to be appropriate. Protected personal information must utilize current resources that protect data from both external and internal vulnerabilities.
Article 32 of the GDPR provides a short overview of what kind of measures are expected:
The Irish government provides an excellent overview of the minimum standards of security required:
These standards are more prescriptive - and more useful - than the basic expectations provided by the European Commission.
What happens if find a breach?
In the event of a breach that compromises personal information, you must notify the Supervisory Authority within 72 hours.
Think of it this way: Is the information useful for your purpose? If not, don't collect it or dispose of it properly.
If it's inaccurate, incomplete, or old, then it's likely irrelevant for your purposes.
Make sure your collection procedures use backup sources to ensure the data is accurate at the point of collection. Be sure to schedule periodic audits and reviews to double-check that the integrity of the data remains over time.
Before deciding what data to collect, sit down and evaluate what exactly you plan to do. For example, do you plan to run text message marketing campaigns? Will you offer a special incentive to your users on their birthdates? These would be reasons to collect a phone number and birthdate. However, if you only plan to send standard email newsletters, you likely have no real need for a phone number and birthdate.
Carry out a regular review of the relevance of the data collected through each channel and of the information already in your servers.
How long are you keeping old data on your servers? Is it data that is continuously in use or was it part of a now-defunct task?
To comply, you or someone assigned to the task should regularly purge files to ensure data isn't left lying around for months or years after use. Purging might include using the appropriate deletion measures or the appropriate anonymization of data.
Remember that data subjects also have a right to erasure. Your process should also include a system for deleting individual files.
The GDPR allows data subjects access to their data, so your role as a data controller now includes providing a method for fulfilling that request.
Data controllers should create and follow clear procedures for ensuring that all relevant data is identified and provided when a data subject requests access to it.
All these obligations apply to you if your website is accessible in the European Union. However, you must take an additional step: nominating a representative in the EU as a point of contact for data procession.
Maybe. If you are a public body, process massive amounts of data that requires regular monitoring of subjects, or work with special or sensitive data, then you need a DPO.
The GDPR didn't reinvent the role of the data controller. Rather, it created a unified framework that made it easier to follow and protects all European citizens equally by forcing data collection processes to remain relevant and accountable.
Following the eight rules for data controllers makes it clear what your responsibilities are under the GDPR so that you can keep legally doing business within the European market.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.