GDPR Data Controller Requirements

GDPR Data Controller Requirements

The GDPR came into effect in May 2018, and it changed the role of the data controller - the person or organization responsible for data collection and storage.

If it were possible to sum up the new role of the data controller in one word, the word would be relevant. The data collected, processes used to obtain it, and security used to store it must all be relevant to the reason you collect the data in the first place.

The GDPR didn't reinvent the wheel for data controllers. Instead, it built on existing privacy and security practices to create a more robust and unified framework. Its goal was to place data protection on the pedestal the EU Commission believes it deserves to better protect European citizens. It's not just about data subjects. It also builds trust between businesses and their clients.

Do you know what it means to be a data controller in the new GDPR world? Keep reading to learn the:

  • Updated definition of a data controller
  • Requirements and responsibilities of a data controller

The GDPR covers data controller requirements in Chapter 4 in sections 24 through 43.

Are You a Data Controller?

A data controller is a person or organization responsible for overseeing and using the personal information collected and stored on company computers or servers. According to the law, the role refers to:

GDPR Info: Article 4: Definitions - Controller

Are you a data controller? If you're not sure, ask yourself the following questions:

  • Are you one of the people who decide what personal data your company collects and keeps?
  • Do you decide how the personal data will be used?

If the answer is yes, then you are a data controller.

Remember, a data controller doesn't need to be a person. In many cases, it isn't a specific job title but a set of duties integrated with all data collection and protection processes.

The Role of the Data Controller

The Role of the Data Controller

Your overarching mission as a data controller is to ensure compliance with data protection and privacy laws and now the GDPR.

Data controllers are responsible for meeting a number of legal obligations when processing data. Those obligations vary in complexity both according to the amount and type of data you use as well as by state and country.

One way to break down the role of the data controller is to look at the suggested practices. Because the GDPR doesn't provide an exact guide to follow, governments and other bodies have come up with practices they believe suit both the GDPR and their own laws.

The Office of the Data Protection Commissioner of Ireland did just that with its Guide for Data Controllers. The guide includes "Eight Rules of Data Protection" that controllers are to follow.

The rules are:

  1. Collect and process information fairly
  2. Keep data for a named and lawful reason
  3. Use and share data in ways that match the designated and legitimate reason
  4. Keep all data secure and safe from attack
  5. Ensure data kept is accurate and up-to-date
  6. Collect only relevant data and avoid excessive collection practices
  7. Store the data just as long as required for your identified purpose
  8. Prepare to provide a copy to individuals who request their data

Once you understand these principles, it's easier to see where your role lies and what regular tasks and responsibilities are involved in upholding the new guidance provided by the GDPR.

Let's break down these tasks rule-by-rule:

1. Collect information fairly

It's your job to ensure that individuals know why you are collecting their data at the time when the data is collected. It's not enough to let them know you collect data;. Data subjects must also be made aware of:

  • Data controller's name
  • Purpose of data collection
  • Name and contact details of representatives
  • Who might receive the data
  • How to change their data if it is inaccurate or unfairly gathered
  • How to exercise their rights to access their data
  • Other information that allows the data subject knows what data is collected, how it is processed and how it might be accessed

As a rule, you also need to inform data owners if third parties have any access to their information and any secondary uses must also be outlined.

2. Keep data for a named and lawful reason

You need a named reason to collect and keep the data, and the reason must be lawful and explicitly stated.

According to the law, there are six lawful bases for the collection of data in Europe:

GDPR Article 6: Lawfulness of Processing - Section 1: Lawful bases

How do you comply?

Review your Privacy Policy to make sure you clearly state the reasons for data collection. Re-establish that the chosen and shared reason is lawful. Then, re-evaluate your data to make sure each different set has a purpose directly related to the shared purpose.

3. Use and share data in ways that match the named and lawful reason

Are your data controlling methods in line with your stated purpose?

Test the compatibility by reviewing your processes and asking of each:

  • Is the data used only in ways consistent with your stated purpose?
  • Is data disclosed only in ways consistent with your stated purpose?

Remember that this also applies to the data processor who deals with the data on your behalf.

4. Keep all data secure and safe from attack

As a data controller, you are responsible for ensuring that appropriate security measures remain in place and up-to-date to prevent inadvertent disclosure of the data collected.

High standards of security are a given, but the security also needs to be appropriate. Protected personal information must utilize current resources that protect data from both external and internal vulnerabilities.

Article 32 of the GDPR provides a short overview of what kind of measures are expected:

GDPR Article 32: Security of Processing - Section 1

The Irish government provides an excellent overview of the minimum standards of security required:

A Guide for Data Controllers from the Office of the Data Protection Commissioner of Ireland: Section on security

These standards are more prescriptive - and more useful - than the basic expectations provided by the European Commission.

What happens if find a breach?

In the event of a breach that compromises personal information, you must notify the Supervisory Authority within 72 hours.

5. Ensure data kept is accurate and up-to-date

Think of it this way: Is the information useful for your purpose? If not, don't collect it or dispose of it properly.

If it's inaccurate, incomplete, or old, then it's likely irrelevant for your purposes.

Make sure your collection procedures use backup sources to ensure the data is accurate at the point of collection. Be sure to schedule periodic audits and reviews to double-check that the integrity of the data remains over time.

6. Collect only relevant data and avoid excessive collection practices

Before deciding what data to collect, sit down and evaluate what exactly you plan to do. For example, do you plan to run text message marketing campaigns? Will you offer a special incentive to your users on their birthdates? These would be reasons to collect a phone number and birthdate. However, if you only plan to send standard email newsletters, you likely have no real need for a phone number and birthdate.

Carry out a regular review of the relevance of the data collected through each channel and of the information already in your servers.

7. Store the data only as long as required for your identified purpose

How long are you keeping old data on your servers? Is it data that is continuously in use or was it part of a now-defunct task?

To comply, you or someone assigned to the task should regularly purge files to ensure data isn't left lying around for months or years after use. Purging might include using the appropriate deletion measures or the appropriate anonymization of data.

Remember that data subjects also have a right to erasure. Your process should also include a system for deleting individual files.

Set up a defined policy on data retention and display it in your Privacy Policy. Put the appropriate management, clerical and computer procedures in place to implement our policy.

8. Prepare to provide a copy to individuals who request their data

The GDPR allows data subjects access to their data, so your role as a data controller now includes providing a method for fulfilling that request.

Data controllers should create and follow clear procedures for ensuring that all relevant data is identified and provided when a data subject requests access to it.

What About Controllers Outside the EU?

All these obligations apply to you if your website is accessible in the European Union. However, you must take an additional step: nominating a representative in the EU as a point of contact for data procession.

Do I Need a Data Protection Officer?

Maybe. If you are a public body, process massive amounts of data that requires regular monitoring of subjects, or work with special or sensitive data, then you need a DPO.

Conclusion

The GDPR didn't reinvent the role of the data controller. Rather, it created a unified framework that made it easier to follow and protects all European citizens equally by forcing data collection processes to remain relevant and accountable.

Following the eight rules for data controllers makes it clear what your responsibilities are under the GDPR so that you can keep legally doing business within the European market.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.