Whilst the principles of accountability and transparency have previously
been implicit GDPR now elevates their significance.
Whenever a controller uses a processor it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out what needs to be included in the contract such as the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data and categories of data subject; and the obligations and rights of the controller.
There are explicit provisions about documenting processing activities. An organisation must maintain records on several things such as processing purposes, data sharing and retention and may be required to make the records available to the ICO on request. Controllers and processors both have documentation obligations and these can help them comply with other aspects of the GDPR and improve data governance.
Data protection by design
An organisation has a general obligation to implement technical and organisational measures to show that it has considered and integrated data protection into its processing activities up front.
Data protection impact assessments
A tool which can help an organisation identify the most effective way to comply with its obligations and meet individuals’ expectations of privacy, allowing it to identify and fix problems at an early stage. While not a legal requirement under the DPA, the ICO has promoted the use of DPIAs as an integral part of taking a privacy by design approach.
Data Protection Officer
A data protection officer (DPO) must be appointed if the organisation is a public authority (except for courts); carries out large scale systematic monitoring of individuals; or carries out large scale processing or data relating to criminal convictions and offences. A single DPO may be appointed for a group of firms, but any organisation is able to appoint a DPO with sufficient staff and skills to discharge its obligations.
Codes of conduct
Signing up to a code of conduct or certification scheme is not obligatory, but if an approved code of conduct or certification scheme that covers an organisation’s processing activity becomes available, it may wish to consider working towards it as a way of demonstrating that it complies. When contracting work to third parties and processors, an organisation may wish to consider whether they have signed up to codes of conduct or certification mechanisms.
Solvassure. Compliance Technology.