10 GDPR requirements you need to get your head around
Below you will find a guide to the 10 subjects that you must understand to ensure compliance with the rules in the GDPR.
All entities (business or organization) are obligated to comply with the General Data Protection Regulation – also known as GDPR. This means that entities that collect and process personal data must comply with the rules applicable to the protection and processing of such data
1
Lawful basis for processing
To process personal data, you must have a lawful basis. In short, this means that you only are permitted to carry out the processing if you have a lawful basis. In the General Data Protection Regulation (GDPR), Article 6 there are six lawful bases for processing personal data, for example, consent, the performance of the contract, and legitimate interest. You must always be able to document that the processing of the personal data is conducted lawfully, fairly, and in a transparent manner in relation to the data subject.
2
Records
GDPR, Article 30 requires that a record of all processing activities shall be maintained. A record is an overview of all the processing activities of personal data taking place in your organization. Both the controller and the processor must keep a record of the processing activities.
The purpose of maintaining a record is to be able to demonstrate by documentation that a given processing activity complies with the GDPR. The requirement to maintain a record is two-fold i.e., to contribute to the overall documentation of compliance with the data protection rules and to ensure that the controller has and maintains the required overview.
3
Personal data policies
GDPR, Articles 13 and 14 provide that all processing of personal data must be lawful, fair, and transparent and a controller is therefore obliged to provide individuals with certain information when their personal data is processed.
To comply with this duty of disclosure, the organization may draft personal data policies. A personal data policy must address each specific group of data subjects and the particular processing taking place. The personal data policy should be easily accessible to the data subjects and in an easy-to-understand, clear and plain language. Since many organizations process a wide variety of personal data about different groups of data subjects it may be necessary to prepare several different personal data policies each depending on the target group.
4
Internal procedures
It is important that the organization has described the procedures which must be followed by its employees when personal data is processed.
The purpose of clear and well-defined internal procedures with respect to the processing of personal data is to ensure that the organization meets the legal requirements and is able to handle the processing in an efficient and standardized manner thus significantly reducing errors and manhours.
You also have an obligation to communicate the internal procedure to your employees and ensure that the employees have proper training.
5
Controllers and processors
GDPR, Article 4 distinguishes between the roles of controllers and processors.
A processor is a natural or legal person, public authority, etc., that processes personal data on behalf of and on the instruction of the controller.
The controller must have an overview of all its processors and must conclude legally valid data processing agreements with processors that process personal data on its behalf.
6
Monitoring processors
The controller must continuously oversee its processors ensuring compliance with the data processing agreement and legal requirements.
The requirements for monitoring increase as the processor processes an increasing volume of personal data, when the personal data takes on a more confidential and sensitive character, and when the processing becomes more intrusive to the data subjects. As the risks increase, the requirements for monitoring will increase correspondingly.
7
Ongoing self-monitoring and internal awareness
An organization’s “self-monitoring”, when it relates to its processing of personal data, includes collecting and maintaining information about the processing activities, analysis, and control of compliance with the GDPR, as well as informing, advising, and making recommendations for use internally in the organization.
The purpose of self-monitoring is to document the organization’s compliance with the GDPR.
Since it is the employees in the organization who on a daily basis process the personal data, it is crucial that there they are aware of how and when personal data may and should be processed in order to ensure compliance with the GDPR and other applicable legal requirements.
8
IT security
By taking into account the basic principles of the GDPR when developing new or modifying existing IT systems, it will be easier for your organization to comply with the GDPR. Incorporating data protection into IT systems is called “data protection by design” and follows directly from the GDPR.
When processing personal data, appropriate technical and organizational measures must be taken to meet the requirements of the GDPR. The necessary measures should be based on the nature of the data, the volume of data, the purpose of the processing, and the risks that the processing may entail for the rights and freedoms of the data subjects.
9
Risk assessments
An advantage of using a risk-based approach is that the controller can choose the necessary security measures which are relevant to the risks posed.
The purpose of conducting risk assessments is to assess the current and relevant risks and to ensure that the implemented security measures actually reflect the risks. A risk-based approach optimizes the consumption of resources while at the same time establishing a common thread in the security and documentation work.
The main subject matter of the GDPR’s risk assessments is the rights and freedoms of the data subjects. An assessment must therefore be made regarding the risks to customers, employees, and other business partners when the organization processes personal data in the role of controller.
A risk assessment includes an impact assessment, a threat assessment, a vulnerability assessment, and a risk picture, and shall be prepared when relevant and as needed.
10
Internal procedures
The data subject’s rights are enshrined in several provisions in the GDPR, and include, among other things, the right of access and the right to erasure.
As a rule, it is the controller who must observe and handle requests by data subjects when they invoke their rights. A processor cannot be given independent responsibility for observing the rights but can observe the rights on behalf of the controller.
This is how you can produce your GDPR documentation
You can produce and maintain your GDPR documentation manually. Alternatively, you can implement a compliance tool that automates it all. When you put your GDPR documentation into a software (which produces all the documentation you may be missing), you can simplify and digitize your work with records, personal data policies, procedure descriptions, risk assessments, and legal documents on IT security can be generated based on simple questionnaires. The same applies to inquiries from data subjects. And finally, you can use the software to continuously monitor your processors and perform your self-monitoring.
