With the new data protection regulation coming in May 2018 (GDPR), data controllers (company or public authority using personal data for its own business purpose) will be subject to new or more specific obligations.
Data controllers’ obligations under the GDPR may be sorted as follows:
Data Controllers’ obligations vis-à-vis individuals using its services:
With regard to individuals using its service, data controller must:
- Obtain a valid consent where necessary and implement the necessary opt-out option (see guidance here)
Data Controllers’ obligations with regard to its internal organisation:
With regard to their internal organisation, data controllers must:
- Appoint a Data Protection Officer where required under the GDPR (see here for more details)
- Draft and implement internal policies and procedures to ensure it can handle any kind of data subject request, a security breach notification etc.
- Ensure the security and confidentiality of the personal data collected (this responsibility is now partially shared with subcontractor/processor)
Data controllers’ obligations with regard to its data processing activities’ compliance:
When it comes to ensuring the compliance of their data processing activities, data controllers must:
- Maintain a record of all its data processing activities (see here)
- Apply the privacy by design and by default principles (see here) which includes implementing policies in order to comply with the data protection principles (see here)
- Conduct data protection impact assessment where required under the GDPR (see here)
Data controllers’ obligations when sharing personal data with third parties:
Data controllers have an obligation to enter into a contract with data processor but it is also strongly recommended entering into a data transfer agreement with any other data controller. Therefore, a data controller should do the following when sharing personal data:
- Update agreements with subcontractors and partners to comply with the GDPR
- Ensure any personal data transfer outside of the EU is compliant with the GDPR (i.e. are they framed by recognised tools such as BCR, standard contractual clauses etc.?)
The needs and the extent or complexity of each obligation are to be adapted to the context (i.e. the kind of data processing in place, the amount and sensitivity of the personal data processed, how much information is shared etc.)
This post is also available in fr_FR.