GDPR A to Z
A is for Accountability
Organisations (e.g., controllers and processors of data) have to be accountable – they have to take responsibility for their compliance with the GDPR (including appropriate organisational and technical measures) and for the data they are processing.
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material or non-material damage. To adequately respond to, and deal with data breaches, your organisation must draft and maintain a detailed data breach policy document. The aim of this document is to outline how your organisation will respond to any such data breach events. Organisations need to be aware of their responsibilities for data breaches, in particular the timeframes and notification responsibilities to their supervisory authority and to data subjects.
B is for Breaches
C is for Controllers vs. Processors
Obligations under the GDPR differ depending on whether you are a data ‘controller’ or a data ‘processor’ (note: you can be both!). If your organisation makes the decisions on what data is collected, when it is collected and what it is used for, then there is a high likelihood that you are a controller. Controllers are exposed to the highest level of compliance responsibility – you must comply with, and demonstrate compliance with, all the data protection principles as well as other GDPR requirements. You are also responsible for the compliance of your data processors. A processor does not make decisions around data, rather they process data on behalf of the controller. Processors do not have the same obligations as controllers under the GDPR. However, if you are a processor, you do have a number of direct obligations of your own under the GDPR.
Under Article 37 of the GDPR, organisations are to appoint a Data Protection Officer (‘’DPO’’) if the core activities they carry out are on a large scale, require regular monitoring of data subjects or if the processing is being carried out by a public authority or body. The primary role of the data protection officer (DPO) is to ensure that their organisation processes the personal data of its staff, customers, providers or any other third-party individuals in compliance with the applicable data protection rules.
A DPO should have an adequate level of skill and knowledge and should facilitate compliance and act as an intermediary between the relevant supervisory authority, data subjects, and the organisation. The DPO has to be independent, they cannot hold a position in an organisation where they have the authority to decide the purposes for which personal data is processed and the means by which it is processed and organisations must be careful when using the title “Data Protection Officer” unless the position fulfils all of the criteria set out in the GDPR for appointing a DPO.
D is for Data Protection Officer
E is for European Representative
If you are an organisation which processes data of EU citizens that does not have a branch or establishment in the EEA, you are required to appoint a European Representative. This can be an individual or company that is established in the EEA who can represent you and be a contact point for data subjects and supervisory authorities. XpertDPO act as a European Representative for a number of our international clients. We can assist you with your European Data Protection needs. For more information, please visit Article 27 European Representative Service
Data protection authorities can impose fines non-compliance with the GDPR. The nature of the infringement determines the fine, as well as which article of the GDPR was infringed upon. Fines can either be:
- €10,000,000 or, in case of an undertaking, 2% of total worldwide annual turnover in the preceding financial year (whichever is greater).
- €20,000,000 or, in case of an undertaking, 4% of total worldwide annual turnover in the preceding financial year (whichever is higher).
Data protection authorities also have range of corrective powers and sanctions they can enforce, including warnings, reprimands, and bans. Outside of this, individuals also have the right seek compensation for material and non-material damage (material being actual damage that is quantifiable (e.g., loss of money) and non-material damage being any non-financial damage, e.g., pain and suffering).
A DPO should have an adequate level of skill and knowledge and should facilitate compliance and act as an intermediary between the relevant supervisory authority, data subjects, and the organisation. The DPO has to be independent, they cannot hold a position in an organisation where they have the authority to decide the purposes for which personal data is processed and the means by which it is processed, and organisations must be careful when using the title “Data Protection Officer” unless the position fulfils all of the criteria set out in the GDPR for appointing a DPO.
F is for Fines
G is for GDPR
The General Data Protection Regulation (‘’GDPR’’) is the primary law that regulates the way that organisations protect the data of EU citizens. It came into force on May 25, 2018. The GDPR ensures that there is a more uniform and consistent approach to data protection across the EU and EEA. It gives individuals control over their data and aims to ensure that fundamental rights and freedoms in relation to personal data are respected.
Having adequate and accurate documentation under the GDPR is all important – your documentation helps you demonstrate your compliance. Whether it be a set of policies, your Article 30 Records of Processing Activities, data sharing agreements, or copies of audit reports, your documentation should be there to guide you and should evidence the steps you’ve taken to get where you are in your GDPR compliance journey.
H is for Having Documentation
I is for Impact Assessments
Data protection impact assessments (‘’DPIAs’’) are required if you are beginning a project that is likely to involve high-risk processing activities. A DPIA will improve your awareness of data protection risks associated with a project. A DPIA should also be carried out for any processing operations that are already underway, or if there have been any changes in your operations. DPIAs should be updated as your organisation changes and implements new technology. DPIAs are not always required, however it is best practice to carry one out if you are not sure as it helps you to comply with data protection law. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation.
Organisations need to have a justification – or grounds for processing data. Without a justification for processing data, it is likely you are processing data illegally. In order to ensure you have justified why it is you processing data you need to have determined your legal bases and purposes for processing data. Organisations should also take the GDPR principles into consideration when assessing their grounds for processing to ensure they are compliant with the GDPR.
J is for Justification (for processing personal data)
K is for Keeping Records of Processing Activities
Records of Processing Activities (‘’RoPA’’) is a form of data inventory that is required under Article 30 of the GDPR. A RoPA is basically a data mapping exercise. Your RoPA should be updated on a regular basis to include why the data is being held, why and how it was originally gathered, how long it is to be retained for, what security measures are in place, the data’s accessibility, and if the data is shared with third parties how, why, and when. Having an up-to-date and accurate RoPA is a key part of GDPR compliance. Organisations are required to provide their RoPA to their supervisory authority on request, and harsh penalties are given to organisations who have not completed this essential GDPR documentation.
Organisations must determine the lawful basis for processing prior to processing any data.
Under Article 6 of the GDPR there are only six lawful bases under which Personal Data can be lawfully processed. The six lawful bases are:
- Consent: The data subject has given clear consent for you to process their personal data for one or more specific purposes.
- Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal Obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
- Vital Interests: Processing is necessary in order to protect the vital interests of the data subject or of another natural person. One of the strictest principles, generally only used in life-or-death situations.
- Legitimate Interest: The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
- Public Interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
L is for Lawful Bases
M is for Mitigating Risk
Complying with the requirements of the GDPR helps to mitigate risks when processing personal data. Carrying out regular audits of your organisation’s policies, documentation and records can help to highlight any gaps or risk areas that need more work. Regular training of staff to ensure they are aware of their responsibilities for the protection of data is essential and helps to mitigate risk. Investing in technology can assist organisations with their GDPR compliance – and this doesn’t need to be big budget technology either. Carrying out Data Protection Impact Assessments will also highlight any risks in projects. It is essential that companies are aware of the risks associated with the data they are processing, and the effects these could have on data subjects. Maintenance of a risk register here is a good way to document your attitude to risk.
Notification links in with transparency under the GDPR. Organisations have to notify data subjects in a number of circumstances. It is important to keep communication channels with the individuals whose data you are processing open and accessible. For example, there is an obligation on organisations to notify their supervisory authority and individuals affected of a data breach where the breach presents a risk to the affected individuals.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR states that you must inform those concerned directly and without undue delay. In principle, the relevant breach should be communicated to the affected data subjects directly, unless doing so would involve a disproportionate effort. Another example of notification under the GDPR is having a well-structured, clear, and easily accessible privacy notice that notifies individuals of your purpose and is a public statement of how your organisation applies data protection principles to your data processing activities.
N is for Notifying
O is for Obligations
Organisations have a number of obligations under the GDPR. The GDPR requires any organisation processing personal data to have identified a valid legal basis and purpose for processing for each processing activity. Organisations need to have:
- Determined their position as a controller or processor of data
- Implemented appropriate technical and organisational measures to aid with GDPR compliance
- Adequate documentation on what personal data is processed, such as the Article 30 Records of Processing Activities
- Determined what data it is they’re processing, how, what for and for how long
- Appointed a data protection officer (where required)
- Processes in place to respond to data subject requests (such as the right to be forgotten)
- Carried out risk assessments and Data Protection Impact Assessments (where required)
- Defined procedure around data breaches and notification of breaches
- Have contracts in place (including data sharing and processing agreements)
- A risk-based approach to working, with data protection by design and by default
In order to process personal data lawfully under the GDPR, you need a purpose for processing the data. Alongside your purpose, you must determine the lawful basis for processing before you process any data and it is good practise to document the decision-making process. Without defining your purposes for processing, you are processing data illegally.
The GDPR requires organisations to be aware of and comply with seven fundamental principles:
- Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner
- Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accuracy: Personal data shall be accurate and, where necessary, kept up to date
- Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes which the personal data are processed
- Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures
- Accountability: The controller shall be responsible for, and be able to demonstrate compliance with the data protection principles.
P is for Purpose and Principles
Q is for Quantify
GDPR protects the personal data of the individual. The regulation recognises the value of taking a risk-based approach. Risk quantification helps organisations prioritise investments in GDPR compliance. This risk-based approach to privacy regulation using quantification also applies to other data protection and privacy regulations around the globe.
Organisations must invest in controls but may have limited resources in order to do so. Once the obvious must have controls and processes are in place then trade-offs and decisions need to be made to further reduce risk. The data used to inform these decisions is often very subjective and based on worst case scenarios rather than critical thinking informed by quantified data.
We can do this by developing risk scenarios and for each scenario quantify risk from the organization’s point of view and also from the data subjects point of view. Once we have this baseline view of risk scenarios, we can then model the introduction of additional controls and understand how they further reduce risk for each scenario.
This allows us to perform a cost benefit analysis of proposed projects and decide which ones reduce the risk to the organisation the most and also better protect the privacy of the individual. This can be done in the context of the DPIA process or when looking at broader enterprise-wide information security programs.
Data protection is a fundamental human right. All individuals are entitled to have their data protected, to have it used in a legal manner, to have access to their data and the option to rectify it if it is incorrect.
Under the GDPR, data subjects have eight rights:
- Right of access
- Right to be informed
- Right to rectification
- Right to erasure (‘’right to be forgotten’’)
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
Organisations have a limited timeframe to respond to requests from data subjects in regards to their rights under the GDPR of 30 days.
Under the GDPR, the data subject also has recourse to a number of options in the case of a complaint about data protection
- Right to lodge a complaint with a supervisory authority
- Right to an effective judicial remedy against a supervisory authority
- Right to an effective judicial remedy against a controller or processor
Having completed data mapping exercises, policies in place, and your staff trained in how to respond requests, it will help to avoid fines and reputational damage and ensure that individuals requests are responded to, accurately and quickly.
R is for Rights
S is for Special Category Data
Special Category Data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. If your organisation processes special category data, you must identify both a lawful basis for general processing under Art. 6 and an additional condition for processing this type of data.
Organisations should ensure that they are being transparent in the ways in which they are processing or using data. Transparency is an important principle under the GDPR. Organisations should communicate with data subjects in a clear and accessible way about the ways in which their data is being processed or used (such as in a privacy notice). Transparency means that individuals can trust that your organisation is treating their data ethically and fairly.
T is for Transparency
U is for Undue Delay
Undue delay is referred to in the GDPR, but what does it actually mean? There is no legal definition for undue delay, and unlike other GDPR requirements such as the 30-day response time for Data Subject Access Requests, the GDPR does not specify any timeframes for this. However, the European Data Protection Board (‘’EDPB’’) has defined undue delay to mean ‘as soon as possible’. Organisations should have compliance fundamentals (such as procedures) in place to ensure they can respond to requests as quickly as they can.
Vetting third parties and any data processors should be on any organisation’s radar for GDPR compliance. Gaining an understanding of organisations or service providers you work with and how they handle data ensures higher levels of compliance and reduces risk. Organisations should be looking at where their processors are storing their data and what security is afforded. Data processing agreements and contracts should be in place that detail the terms in writing, for example what happens to your organisation’s data at the end of the contract. Doing your due diligence and assessing any third parties you use reduces risk and can mean a better service is provided.
V is for Vetting
W is for Why does it matter?
The GDPR gives individuals more control over their personal data and protects their fundamental rights and freedoms. Data protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights. Technological advancements and globalisation have resulted in an increase in the amount of data being shared and individuals increasingly create and share information, a lot of which is public. The GDPR serves to afford individuals more rights around their data.
XpertDPO provides data security, governance, risk and compliance, GDPR and ISO consultancy to public and private sector organisations.
We help change our clients relationship with the data they process. Data protection, security and governance is at the core of our business. We look after the whole lifecycle of your data processing via our outsourced data protection officer service and our GDPR compliance services. We also provide ISO 27001 and ISO 27701 certification consultancy to our client base, offering a value based, pragmatic approach to achieving certification. We also specialise in offering Nominated European Representative Services to non-EU and non-UK based organisations.
At XpertDPO, our approach is that the data security function must align with, and be driven by, your business objectives. This is at the core of our ethos. XpertDPO can help you to transform the regulatory constraints of the GDPR and other relevant regulations into opportunities, ensuring that your compliance journey has a positive impact on your existing economic and organisational models. Put simply, we take care of your compliance headaches, allowing you to concentrate on your core business goals.
X is for XpertDPO
Y is for Yielding Benefits
GDPR compliance can yield a number of benefits for organisations including:
- It saves money in the long-term
- Allows for better systems and processes to be developed
- Organisations are less likely to receive fines and sanctions
- Compliance boosts confidence in your business
- Your reputation is upheld as you are not using data for unspecified purposes
- Valuable employee time is spent on something that ends up of little use – more efficient
- More effective profiling and understanding of customer/client as the data you hold is accurate
- Reporting and figures are more accurate, data quality higher
- Easy way to keep communication channels open with your customers/clients
The idea of a ‘Zero Trust’ model of security is to never trust and always verify. The concept of trust can lead to businesses being vulnerable to security risks. Imagine you find out that one of your business’ suppliers was storing your operational secrets in a publicly accessible office with no security? It is important to assess and verify the compliance practices of any third parties. An example of a zero-trust principle in action would be an organisation setting access controls through policy so that only those who need to access the data have access to it. Utilising zero trust methodologies can reduce risks such as data breaches.
Z is for Zero Trust
Data Protection journey with us?
XpertDPO is a data security, governance, risk and compliance, GDPR and ISO consultancy that offers practical, tailor-made solutions.
We are one of the leading providers of Outsourced Data Protection Officer services in Ireland and the UK. We also specialise in offering Nominated European Representative Services to non EU based organisations.