What are the GDPR Obligations on Companies?

With the enactment of the General Data Protection Regulation (GDPR) was introduced by the European Union (EU) on May 25, 2018 came a new set of regulations that had to be complied with by companies and organisation that process and store the personal data of EU citizens.

GDPR was enacted in order to ensure that personal data does not fall into the wrong, malicious, hands.

Adequate Processing Systems for Data Management

Controllers must adapt a data management system with acceptable measures in placefor GDPR compliance. GDPR introduced the concept of privacy by design where data protection measures are considered throughout the entire design process.

Legally Compliant Data Processors

If data processing tasks are handed over to a processor instead of a data controller then the processor must be found to be GDPR compliant before they begin the task.

A data processor could be payroll companies, accountancy firms or a human resources agency. Any of these could, possibly, hold or process personal information.

A legal contract must be completed between the data controller and the data processor which outlines all of the required legal obligations.

Managing & Keeping Records of Processing

If a company has in excess of 250 members of staff or handles sensitive personal information that it must keep a record of all processing activities it carries out in line with GDPR regulations.

This record must incorporate the identification and contact details of the controller, the focus of processing, defined categories of data subjects and personal data, the categories of data recipients, specific details of transfers to non-EU countries and relevant data privacy legislation of that jurisdiction, data time limits and an outline of the data security measures established.

Safeguarding Data

Security measures should be used to keep personal data secure. These must safeguard the personal data from mistaken or unlawful destruction of stored data or unauthorized disclosure, access or amendment.

Reporting Data Breaches

GDPR states that the appropriate  local data protection authority must be made aware of a data breach within 72 hours of the controller first discovering the breach. This is the case where the breach could lead to a risk to the rights and freedoms of the data subject(s).

Ongoing Data Impact Assessments.

A data protection impact assessment must be completed by all data controllers that wish to conduct high-risk data processing. This data protection impact assessment must incorporate a description of the process and the reasoning behind it, an assessment of the necessity of the processing, an assessment of the potential dangers to the rights and freedoms of the data subjects and a list of all of the measures used to remedy the stated risks.

A review should also be completed after the processing starts.

Appoint a Data Protection Officer (DPO).

A Data Protection Officer (DPO) must be designated if a group is a public body, has core activities such as monitoring of data subjects on a large scale or special categories of data are being handled.

If one or more of these conditions exist than a DPO must be designated. The rules for appointing a DPO are:

• The person designated has the proper professional experience and expert. knowledge on data protection legislation.
• The DPO may be an internal/current member of staff designated to the role.
• Contact details for the DPO must be filed to the data supervisory authority.
• Resources must be in place so the DPO can complete their tasks.
• The upper levels of company/organization management must be available to the DPO.
• The DPO cannot conduct any task/role that is in conflict with their position.

Codes of Conduct and Certification

Associations and other bodies representing controllers and processors may ready codes of practice that will outline how the GDPR should be adhered to. Draft codes of conduct must be filed to the Data Protection Commission for approval.

Sending Data Outside of the EU

Personal data that is being sent externally from the EU or to an international organisation when the EU has ruled that the recipient country has an adequate level of data protection currently. Should the transfer to an unapproved country be needed then the data controller or processor must see to it that all appropriate security measures are established.