Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lecture 3 responsibilities of controller and processors v.2


Published on

responsibilities of controller and processors

Published in: Education
  • Be the first to comment

  • Be the first to like this

Lecture 3 responsibilities of controller and processors v.2

  1. 1. A quick recap of Lecture 2… • The GDPR grants data subjects many rights over the control of their personal data, including notification, erasure, portability, and protection from profiling • Pseudonymization (replacing identifiable fields in a data set with pseudonyms) is strongly recommended by the Regulation • Anonymized data cannot be traced to an individual, and is not protected by the Regulation
  2. 2. Lecture 3 Responsibilities of Controllers and Processors Corporate Compliance Requirements
  3. 3. In this lecture, you will learn: 1. What are data controllers and data processors? 2. What are the responsibilities of controllers and processors? 3. What is “Data protection by design and by default”? 4. Required safeguards, notifications, and documentation
  4. 4. What are controllers and processors? • Controllers determine the purpose and means of processing personal data; usually the collector of data (does not necessarily need to physically located in the EU) • Processors are engaged to process data on behalf of the controller • Controllers are responsible to monitor processors’ compliance • Both controllers and processors are responsible and liable for legal compliance under the new EU Regulation
  5. 5. Responsibilities of Controllers • Primary responsibility to data subjects • Ensure and demonstrate compliance with GDPR • Controllers outside the EU that regularly process personal data pertaining to people within the EU should have a designated representative within the EU to manage compliance • Ensure data processors’ compliance with GDPR and the contract • Required to implement data protection by design and by default • Joint controllers need to allocate and divide responsibilities and communications
  6. 6. Data Protection by Design • Data protection by design: data protection principles should be integrated into the design of systems that manage personal data • E.g., Databases can be designed to perform pseudonymization and anonymization
  7. 7. Data Protection by Default • Data protection by default: safeguards to limit the processing of data are integrated into systems • E.g., automatic erasure of deactivated customer accounts Data controllers are responsible for demonstrating and implementing data protection by design and by default.
  8. 8. Responsibilities of Processors • Must be governed by a contract addressing how data will be processed, how requests from data subjects will be fulfilled, and whether data will be transferred to any third countries • Delete or return all data at the end of service provision • Make information available to controller to demonstrate compliance • Notify the controller in the even of a breach • Not engage a sub-processor without authorization
  9. 9. Direct GDPR effects on data processors • GDPR introduces direct statutory obligations on processors and severe sanctions for compliance failures (liability no longer rests with data controllers alone) • This has a big impact on Non-EU data processors • Equal risk of fines as the controller • A data processor can be its own data controller if it has record of its own, independent of the data being processed on behalf of the controller
  10. 10. Required data protection practices: 1. Data protection by design and by default 2. Safeguards 3. Breach notification 4. Documentation
  11. 11. Required Safeguards • Security practices and technologies appropriate to the level of risk • Breach notification to supervisory authorities and individuals • Data protection impact assessments (DPIAs) for high risk projects • Consult with supervisory authorities about high risk projects • Data protection officer
  12. 12. Breach Notification Definition: “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” • Breaches must be reported to the supervisory authority within 72 hours of discovery unless there is a low risk to the rights and freedoms of persons (e.g., the data is pseudonymized) • Breaches posing a high risk to the rights and freedoms of persons (e.g., unencrypted data) should be communicated to the data subjects without undue delay
  13. 13. Records of Processing Activities • Companies with 250 or more employees and those that handle special categories of data* are required to document: • Contact information for the controller/processor, and if applicable, the controller’s or processor’s representative and data protection officer • Purposes of processing • Categories of data subjects and personal data • Data transfers to third countries • Where possible, timelines for the erasure of different categories of data • Where possible, a description of technical and organizational security measures *refer to Lecture 1 for a definition of “special categories of data”
  14. 14. Policies and Notices • Concise, transparent, intelligible and easily accessible policies • Notice (at time of data collection) must include –Identity and contact details of Controller and Controller’s DPO –Purposes of processing and legal basis (e.g. identify the legitimate interest) –Recipients/categories of recipients –Transfers, existence/absence of adequacy decision & appropriate safeguards –Retention periods, existence of certain rights –Right to lodge a complaint with DPA –Legal or contractual requirement to provide data –Existence of any automated decision-making