Who is responsible for demonstrating GDPR compliance?
When we are working with prospective or new clients, we are often asked this question. There isn’t a short answer but we will highlight some steps you can take to begin to demonstrate that you are complying with the GDPR. This is not an exhaustive list by any means, but is intended to be a set of proactive steps.
The General Data Protection Regulation (GDPR) relates to the processing of ‘Personal Data’. Unfortunately, and this is where there is lots of confusion, the GDPR does not provide a definitive list of items that are considered Personal Data. The GDPR, in Article 4(1) states
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
So, to break that down, the GDPR relates to data that either on its own (directly), or in conjunction with other data (indirectly) that can be used to identify a living human being.
The GDPR also describes the concepts of Data Controllers and Data Processors. A data controller could either be an organisation (e.g. bank, retailer) or an individual (e.g. general practitioner) that collects and processes information about customers, patients, etc. Under the GDPR, the data controller is responsible for ensuring that data is processed in compliance with the principles of lawfulness, fairness, transparency, data minimisation, accuracy, storage limitation, integrity, and confidentiality. A Data Controller generally makes the decisions around the what, why, who, when and how personal data will be processed.
So, if you are running a business and employing staff, you are a data controller for that processing. You must keep in mind here that the GDPR does NOT just apply to large organisations. Individuals, SMEs, community groups and not for profit organisations who process personal data are all responsible for complying with the GDPR. There is no differentiator in the application of the principles of the GDPR in terms of the organisation size.
One of the most important obligations that organisations have is preparing Records of Processing Activity (RoPA). Article 30 of the GDPR details the requirements and responsibilities of Data Controllers in relation to these records.
In our experience, many organisations have inadequate RoPA and there are organisations that are not aware that this is a requirement.
So, if you are a Data Controller, you will need to maintain documentation that details the following:
- the name and contact details of the [Data] controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
Many organisations believe that they are not responsible for maintaining these records as they are only small entities. This is, in many cases, incorrect.
There are some exemptions to maintaining these records. Article 30(5) states:
The obligations … shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Your organisation may not process data that results in a risk, let alone high risk, to the data subjects. Likewise, you may not process special category data or data relating to criminal convictions or offences but, you will be processing more frequently than occasionally. There is guidance form the European data Protection Board (EDPB) to this effect, they state:
‘To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record – keeping’…
Therefore, although endowed with less than 250 employees, data controllers or processors who find themselves in the position of either carrying out processing likely to result in a risk (not just a high risk) to the rights of the data subjects, or processing personal data on a non-occasional basis, or processing special categories of data under Article 9(1) or data relating to criminal convictions under Article 10 are obliged to maintain the record of processing activities.
However, such organisations need only maintain records of processing activities for the types of processing mentioned by Article 30(5).
For example, a small organisation is likely to regularly process data regarding its employees. As a result, such processing cannot be considered “occasional” and must therefore be included in the record of processing activities.
Finally, In addition to the RoPA, it would be recommended that your organisation drafts and maintains a library of supporting documentation in support of your GDPR compliance program. Again, the GDPR does not provide us with a definitive list but, we have seen Data Processing Agreements, Data Protection Policy, ICT Policy, Password Policy, Retention Policy amongst others specifically requested by the Data Protection Commissioner.
We do not advocate that documents are copied from the internet, or even templates being used. These documents will have little or no context in relation to your organisation and how it processes personal data.
Your supporting documentation must give an accurate description of who you are and how your organisation processes data including how long you retain data and who you might share that data with.