Who Is Responsible for Demonstrating GDPR Compliance?

GDPR laws were introduced into legislation in 2016 and became legally enforceable in May 2018. The regulations apply across the European Union and protect an individual’s personal data. GDPR laws are in place to ensure organisations only collect and store the data needed for a permitted purpose and for a limited amount of time. Failure to comply with the regulations can have severe consequences. Organisations are responsible for demonstrating their compliance GDPR, so it’s important to know who is responsible for demonstrating GDPR compliance and Cyber Essentials certification for your organisation can take part in improving compliance.

Under GDPR legislation, there are key roles that can help determine who is responsible for demonstrating compliance:

Data subject

A data subject is the individual to whom the collected personal data belongs. Personal data refers to anything that can be used to identify an individual, including name, passport number, financial records, address or employment details.

Under GDPR legislation, data subjects have rights to ensure that their personal information is stored securely, that their right to privacy remains intact, and to prevent organisations from deviating from GDPR rules.

Data controller

A data controller is a person or organisation who decides how a data subject’s personal data will be collected and for what purpose. It’s the data controller‘s responsibility to:

• Be accountable for lawfully collecting personal data.
• Create strict security measures, such as encryption, to protect data from unlawful access.
• Report data breaches if such an incident occurs.

Sometimes, there may be more than one data controller within an organisation. When Data Controllers decide on the purpose of personal data collection, they must ensure confidentiality and that no one or no organisation can access that personal data unauthorised or unlawfully.

Data processor

A data processor is an individual or third party who processes gathered personal data at the data controller’s request. A data processor‘s primary responsibilities include:

• Always acting under the specified role the data controller has given them.
• Processing collected personal data if the data controller permits it.
• Ensure that when processing data, GDPR is complied with.

Data protection officer

The data protection officer (DPO) is responsible for compliance GDPR throughout an organisation’s whole data collecting process. A data protection officer‘s responsibilities can include:

• Advising organisations on appropriate measures to take in data collection strategies.
• Inform organisations they have a responsibility to comply with GDPR laws.
• Monitor compliance.

Appointing a DPO is only mandatory in one of three situations:

1. When your organisation is a public authority or body;
2. If processing data subjects on a large scale;
3. If performing large scale processing of special categories of personal data and data relating to criminal conviction

Organisations may decide to assign someone already in their organisation in the role of DPO in addition to existing duties, rather than hire externally for a dedicated position.

Supervisory authority

As well as understanding who is responsible for demonstrating compliance with GDPR within an organisation, national supervisory authorities help oversee GDPR compliance and personal data protection within EU countries.

Ireland’s supervisory authority is the Data Protection Commission. It is responsible for upholding the rights of Irish citizens to have their personal data protected under GDPR legislation.

There are seven key principles of GDPR that organisations involved in the collection, storage and processing of personal data must be aware of. This includes data from customers and clients, employees and contractors, or other individuals such as patients, students, or members relevant to your organisation.

Purpose limitation

Personal data collected by organisations should be used only for an explicit purpose. It should not be used for any other reason that contradicts the original purpose of gathering the data. However, according to GDPR Article 5, if personal data is archived for public interests, scientific or historical research purposes, or statistical reasons, this is still in line with the original intent of collecting the personal data.

Accuracy

GDPR regulations state that any personal data gathered must be correct and up to date. If collected data is inaccurate, the necessary steps need to be taken to immediately delete erroneous information and replace it with the correct data.

Data integrity and confidentiality

Data controllers are responsible for ensuring appropriate security measures are in place to protect the integrity and confidentiality of personal data. These security measures must also protect against accidental loss and damage situations.

Storage limitation

This GDPR principle outlines that personal data should kept no longer than necessary for processing purposes and be removed if no longer need for its original stated purpose.

Data minimisation

Following the data minimisation principle means only gathering the data needed and not collecting data that is either unnecessary or hasn’t been authorised to be collected.

Lawfulness, fairness and transparency

The sixth GDPR principle is one of lawfulness, fairness, and transparency. This means that it is essential for data controllers and data processors to adhere to their responsibilities in protecting the data subject’s personal data to comply with the law.

There is an added seventh principle in the GDPR legislation. This principle focuses on the accountability of the data controller and making sure they conduct their duties in a way that adheres to the other six GDPR principles. The data controller is the person responsible for demonstrating GDPR compliance.

If an organisation fails to comply with GDPR, it could face legal consequences including bans on processing data, and fines of up to 20 million Euros, or 4% of an organisation’s annual worldwide turnover, depending on which is the greater amount.

Our Cyber Essentials certification can help your organisation determine who is responsible for demonstrating compliance with GDPR. Cyber Essentials covers areas such as access control and security configuration. Cyber Essentials certification shows your commitment to protecting personal data, compliance with key GDPR and data protection legislation, and helps your organisation win contracts where certification in Cyber Essentials is necessary.

You may also be interested in our ISO 27001 Introduction Training. This one-day workshop provides a foundational and practical understanding of Information Security, including information security measuring and best practice standards.