As we continue with this blog series on GDPR Foundations, we will explore the requirements organizations need to meet to ensure compliance with all GDPR regulations. 

Requirements for Organizations

GDPR-betaGDPR contains many responsibilities with which organizations must comply. At the end of the day, GDPR’s core responsibilities are that organization must:

  • Assist individuals in exercising their privacy rights
  • Ensure individuals’ PII is kept secure
  • Notify the appropriate parties in the event of a data breach involving PII

In this section, we discuss the key requirements spelled out in GDPR that organizations are required to do in order to meet these two core responsibilities. 

Assist Individuals in Exercising Their Privacy Rights

In this section, we discuss what:

  1. Individuals’ privacy rights are under GDPR
  2. Organizations are required to do in assisting individuals who wish to exercise their privacy rights

Individuals’ Privacy Rights

Individuals have seven main rights under GDPR (listed alphabetically):

  • The Right of Access
      1. Individuals may view all the PII an organization has collected or inferred (e.g., through analysis) on themselves
  • The Right to Be Forgotten
      1. Individuals may have their PII deleted
  • The Right to Giving Consent
      1. PII may only be processed once an individual’s explicit consent has been obtained (more on consent below)
  • The Right to Correction
      1. Individuals may have incorrect PII about them corrected
  • The Right to Data Portability
      1. Individuals may have their PII transferred from one similar service to another
    1. The Right to Object to Processing
      1. Individuals may prohibit an organization from processing their PII
  • The Right to Restricting Processing
    1. Individuals may require organizations that are already processing their PII to stop processing their PII

Organizations’ Responsibilities

Controllers are required to:

  • Assist individuals in exercising their privacy rights, including responding to individuals’ requests to exercise their rights
  • Provide information on the action taken in response to an individual’s request within one month of receiving request
    • If a controller does not take action on an individual’s request, it must inform the individual of the decision within one month of the request and include the following information:
      • Statement that the controller will not be taking action on the request
      • The reasons why action is not being taken
      •  Notice that the individual can lodge a complaint with a supervisory authority and seek a judicial remedy


Conditions for Obtaining Consent

Organizations must properly obtain consent from individuals prior to processing their data. Note that this includes but extends well beyond website cookie notifications. 

At a minimum, consent must be:

  • Requested in a clear, concise way using plain language and that does not cause unnecessary disruptions to the individual’s use of the service
    • This means that:
      • Full-page pop ups asking for consent are in violation of GDPR
      • Legalese, difficult to understand or ambiguous terms & conditions language are in violation of GDPR
  • Clearly distinguished from other matters
  • Given by each individual via a clear, affirmative act
    • Silenced, pre-checked boxes or inactivity do not constitute consent
    • This means that statements like “by using this site, you agree to our terms & conditions” are in violation of GDPR. 
  • Proven to have been given by each individual
  • As easy to give as to deny or rescind consent as it is to give

Organizations may not withhold their goods/services from individuals who do not give their consent.1 

Ensure Individuals’ PII is Kept Secure

There are several ways GDPR requires organizations keep PII secure. In this section, we outline GDPR’s key requirements in this area, which are:

  • Information security requirements
  • Appoint a DPO
  • Conduct a Data Protection Impact Assessment (DPIA), and
  • Manage third-parties
  • Maintain Records of Processing Activities

EMEA locked

Information Security Requirements

Organizations are required to implement appropriate technological and organizational (e.g., policies, processes, etc.) measures in order to safeguard PII. These measures are to:

  • Be reviewed & updated when necessary
    • When deciding which measures to implement, the cost of implementation and risks to individuals are to be taken into account
  • Ensure that only the minimum amount of PII needed for each purpose is being processed and no more
    • By default, PII is not to be made accessible only to:
      • Workforce members (including contractors) who have a business need to process the data,
      • Processors who are assisting with processing the PII, and
      • For the appropriate amount of:
        • Personal data
        • Time
        • Level of access
  • Apply measures that appropriately protect the PII, depending on the sensitivity of the PII. 
    • GDPR suggests these measures include:
      • Pseudonymization and encryption of PII
      • Ensuring the ongoing confidentiality, integrity, availability and resiliency of processing systems
      • Regularly testing, assessing and evaluating the effectiveness of the measures

Appoint a Data Protection Officer (DPO)

To ensure organizations have appropriate measures in place and are complying with GDPR, both controllers and processors are required to appoint a DPO. Note that an organization’s DPO can be a full-time employee, consultant, be a DPO for several organizations, etc. Additionally, a DPO can be over a group of organizations (e.g., parent companies and their subsidiaries).

Organizational Responsibilities

Regarding their DPO, organizations are required to:

  • Have their DPO directly report to the highest level of management
  • Ensure their DPO:
    • Is properly involved in all matters related to protecting PII
    • Does not receive any instructions on how to carry out his/her duty
    • Can be reached by individuals for all issues related to GDPR
  • Support their DPO in performing his/her tasks
    • This includes providing necessary resources and access to data
  • Not dismiss their DPO for performing his/her tasks

DPO’s Responsibilities

DPOs are responsible, at a minimum, to:

  • Monitor compliance with and provide training related to:
    • GDPR
    • Other Member/State data protection provisions
    • Their organization’s policies related to protecting PII
  • Appropriately consider the risks associated with processing operations
  • Cooperate with and act as the point of contact for supervisory authorities
  • When requested, provide advice regarding the data impact assessment and monitoring its performance

Conduct a Data Protection Impact Assessment (DPIA)

Controllers are required to conduct an impact assessment prior to processing any PII if any of the following conditions are met:

  • The processing of PII is likely to significantly affect individuals
  • A supervisory authority has required the type of processing have a DPIA conducted
  • Special categories of data are to be processed on a large scale
  • Data related to criminal cases is to be processed
  • Systematic monitoring of the public is occurring

At a minimum, these assessments must contain:

  • A detailed description of the processing activities and their purposes
  • An assessment of:
    • The necessity of the processing
    • The risks that the processing poses to the individuals
  • How the organization will:
    • Protect the PII and 
    • Comply with GDPR
  • Where appropriate, the views of data subjects on the intended processing

Part III of this series will discuss how to manage third-parties and will examine violations/fines for GDPR offenders. 

 

1There are exceptions for cases where PII is needed to provide a good/service (e.g., giving  someone a credit card requires a background check on the applicant, which in turn requires the applicant to provide some of their PII)