Obligations of data controllers and processors under the GDPR
The General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018.
As an EU regulation, it did not generally require transposition into Irish law (EU Regulations have direct effect) so organisations involved in data processing of any sort need to be aware that the GDPR addresses them directly in terms of the obligations that it imposes.
The Data Protection Act 2018, which was signed into law on 24 May 2018, has given further effect to the GDPR in areas where member states have flexibility (for example, the digital age of consent).
The GDPR very significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. Organisations and businesses are required to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.
Under the GDPR, personal data is data that relates to or can identify an individual either by itself or together with other available information. Examples of personal data include a person’s name, phone number, bank details and medical history.
A data subject is the individual to whom the personal data relates. You can read about the rights of data subjects in our document Your rights under the GDPR.
Data controllers and data processors are organisations that collect or use personal data.
This document outlines the obligations of data controllers and processors under the GDPR. You can read about the concepts and principles involved in our document Controlling and processing data under the GDPR - concepts and principles.
The obligation to design appropriate processing systems
The GDPR has introduced the concept of privacy by design. This means the inclusion of data protection measures from the outset of designing a processing system. The controller must implement appropriate technical and organisational measures in order to meet the requirements of the Regulation and protect the rights of data subjects.
For example, controllers should design their processes so that they collect only the data absolutely necessary for their purposes, and access to personal data should be limited to only those necessary for processing. Controllers may also temporarily anonymise personal data.
Controllers will be able to apply for certification from a supervisory authority, which will demonstrate that their processes are designed to comply with the Regulation. In Ireland, this supervisory authority is the Data Protection Commission.
The obligation to use processors that meet the requirements of the legislation
Where processing is to be carried out by a processor and not the controller, the controller must use only those processors who guarantee that their systems of processing meet the requirements of the Regulation.
Examples of processors of his nature include payroll companies, accountants and market research companies, all of which could hold or process personal information on behalf of someone else. Cloud providers are also generally data processors.
The controller must have a contract with the processor setting out the scope of the processing required by the controller and the processor’s obligations under the Regulation. A processor cannot outsource this processing to another processor without the controller's consent and a similar contract agreed with that second processor.
Processors should follow any relevant code of conduct that may be prepared by the Data Protection Commission. Processors may also receive certification demonstrating their compliance with the Regulation.
The obligation to keep records
Under the GDPR, any controller that has more than 250 employees, or that processes sensitive information, must keep a record of the processing activities under its responsibility.
That record will consist of:
- The name and contact details of the controller
- The purposes of the processing
- A description of the categories of data subjects and personal data
- Categories of recipients of the data
- Any transfers of data to third countries and that country's data safeguards
- Time limits for erasure of data
- A description of the data security measures in place
Processors must keep similar records. These records can be inspected by the Data Protection Commission on request.
The obligation to keep data secure
Controllers and processors have an obligation to keep personal data secure. Under the GDPR, controllers and processors must consider implementing modern security measures appropriate for the risks involved in their activities. For example, risks may come from accidental or unlawful destruction of stored data or unauthorised disclosure, access or alteration.
The security measures may include anonymisation or encryption of data and restoring or backing up stored data. Controllers and processors will need to review and evaluate their security measures to comply with any code of conduct that may be published in the future.
The obligation to report data breaches
Under the GDPR, a controller must notify the Data Protection Commission of a personal data breach without delay where that breach is a likely to result in a risk to the rights and freedoms of the data subject. Notification should be made within 72 hours of the controller becoming aware of the breach. Data processors must notify the respective controllers if the processor becomes aware of a breach. The controller should also notify the data subject without delay.
The obligation to carry out data protection impact assessments
Under the GDPR, when a controller intends to carry out high-risk processing they must first carry out a data protection impact assessment (DPIA). The Data Protection Commission will prescribe a list of the kind of processing operations that may be high risk. These processes may include processing using new technology, profiling and automated decision-making processing, processing large amounts of sensitive personal data or systematically monitoring a publicly accessible area.
The data protection impact assessment should include:
- A description of the processing and the purpose
- An assessment of the necessity of the processing
- An assessment of the risks to the rights and freedoms of the data subjects
- The measures to be used to address the risks
The controller may consult with the Data Protection Commission, which may provide advice to the controller. The Data Protection Commission has published detailed guidance for controllers on how and when to carry out a DPIA.
The controller should carry out a review after the processing has begun to ensure it is being performed in line with the data impact assessment that was carried out.
The controller should also seek the advice of its data protection officer.
The obligation to appoint data protection officers (DPOs)
Under the GDPR, data protection officers must be appointed by controllers and processors whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale or of special categories of personal data or data relating to criminal convictions and offences.
Data protection officers:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Must provide contact details to the Data Protection Commission
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management in their organisation
- Must not carry out any other tasks that could result in a conflict of interest
DPOs must be involved in all issues of data protection and must be given the resources to carry out their tasks.
You can contact the DPO of an organisation about any issues relating to your personal data held by that organisation.
The tasks of the DPO are to:
- Inform and advise their organisation about its data protection obligations
- Monitor their organisation's compliance with the GDPR and any national data protection legislation
- Advise on data protection impact assessments and monitoring performance
- Liaise with the supervisory authority
The Data Protection Commission has issued published detailed guidance on appropriate qualifications for a DPO.
The obligation to comply with codes of conduct and certification
Associations and other bodies representing controllers and processors may prepare codes of practice that will specify how the GDPR should be specifically applied. These bodies must submit their draft codes of conduct to the Data Protection Commission for approval.
In order to enhance transparency and compliance with this Regulation, the GDPR will introduce certification mechanisms and data protection marks, allowing data subjects to quickly assess the level of data protection of relevant products and services. A list of certified organisations will be publicly available.
Codes of conduct and approved certification mechanisms will also assist controllers, in identifying the risks related to their type of processing and in adhering to best practice.
For processors seeking to process information on behalf of controllers, the adherence of a processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.
The obligations relating to transferring data outside the EU
Any transfer of personal data outside the EU or to an international organisation will be strictly regulated under the GDPR. The Regulation also applies to any onward transfer of personal data from one non-EU member state to another.
Such a transfer of personal data may only take place where the European Commission has decided that the non-EU member state or business sector within that country has an adequate level of data protection in place. In deciding if there is adequate protection, the Commission will look at that country's laws, respect for human rights, the existence of any data protection authority and the international commitments that country has made relating to personal data. After deciding if a country or sector has adequate data protection, the Commission will continue to monitor that country in terms of its data protection practices.
The Commission will publish a list of all such approved countries, sectors and international organisations.
If a controller or processor wants to transfer data to an unapproved country, sector or international organisation, that controller or processor must provide the appropriate safeguards and ensure that any data subjects will still be able to exercise their rights.
Supervision and enforcement
Independent supervisory authorities
Under previous Irish legislation, the Data Protection Commissioner was responsible for supervising data protection in Ireland. Under the GDPR, each EU member state must have one or more independent public authorities responsible for monitoring the application of the Regulation. In Ireland, this supervisory authority is the Data Protection Commission.
(Under the Data Protection Act 2018, the Data Protection Commission has replaced the Data Protection Commissioner.)
The Data Protection Commission will:
- Monitor and enforce the application of the GDPR
- Promote public awareness of the rules and rights around data processing
- Advise the Government on data protection issues
- Promote awareness among controllers and processors of their obligations
- Provide information to individuals about their data protection rights
- Maintain a list of processing operations requiring data protection impact assessment
The Data Protection Commission has the power to order any controller or processor to provide information that the authority requires to assess compliance with the Regulation. It may carry out investigations of controllers and processors in the form of data audits, including accessing the premises of a controller or processor. It can order a controller or processor to change their processes, comply with data subject requests. The Data Protection Commission can also issue warnings to controllers and processors and can ban processing as well as commence legal proceedings against a controller or processor.
Organisations that are engaged in cross-border processing of personal data can use a new mechanism, the one stop shop (OSS) to enable them to deal with a single lead supervisory authority for most of their processing activities.
European Data Protection Board
The GDPR will introduce a new European data protection supervisory authority. The European Data Protection Board (EDPB) will be responsible for ensuring the GDPR is applied consistently across The European Union. It will issue guidelines and recommendations on the application of the Regulation. It will also advise the EU Commission on the application of the Regulation and any updates that may be required.
The EDPB is made up of the head of one supervisory authority of each member state and a European Data Protection supervisor.
Penalties apply to both controllers and processors who breach the Regulation. There are different penalties, depending on the seriousness of the breach.
For the most serious infringements (for example, not having sufficient customer consent to process data or violating the core of privacy by design concepts) organisations can be fined up to 4% of their annual global turnover or €20 million, whichever is greater.
Each member state may introduce further fines legislation, which will be enforceable within that state only.
Under the GDPR, organisations in breach of the Regulation can be fined up to 2% of their annual global turnover or €10 million, whichever is greater, for lesser breaches. Some examples of lesser breaches include: not having records in order, not notifying the supervisory authority and data subject about a breach or not conducting an impact assessment.