Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessment (DPIA)

Under the General Gata Protection Regulation (GDPR), controllers must now now: 

Keep a record of their processing activities (see here for more details); and
Carry out a Data Protection Impact Assessment (DPIA) where the data processing is likely to result in a high risk to the rights and freedoms of the data subjects.  

A DPIA is a process designed to describe the processing, assess its necessity and proportionality and manage the risks to the individuals’ rights and freedoms resulting from thereof.

Data Protection Officer: Appointment, Position and Skills

Data Protection Officer: Appointment, Position and Skills

When an organisation appoints a Data Protection Officer whether on a voluntarily basis or because its processing activities meet the criteria set out in the GDPR (see  here, for more details), it should pay attention to the following points at the time of the DPO’s appointment:
The contractual relationship between the DPO and the Controller or Processor
The skills and level of expertise of the DPO
The position of the DPO within the company organisation and the resources to be allocated

When to Appoint a Data Protection Officer

When to Appoint a Data Protection Officer

The designation of a Data Protection Officer (DPO) is either mandatory or voluntary depending (i) on the kind of organisation, (ii) its activities and/or (iii) the type of processing operations it carries out (e.g. scale, type of data etc.).

According to article 37 (1) of the General Data Protection Regulation (GDPR) the designation of a DPO is required in three specific cases:

Where  public authority or body carries out processing operations (case 1); 

Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale (case 2); or

Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. (case 3)

Right to Data Portability

Right to Data Portability

The right to data portability is the new individual’s right provided in article 20 (1) of the new data protection regulation (GDPR).

This new right allows data subjects to ask data controllers to provide him/her or another data controller of their choice with a copy of the personal data they have provided for the data subject or the recipient controller to re-use the data to provide its service.

One-Stop-Shop under the GDPR: how does that work?

One-Stop-Shop under the GDPR: how does that work?

Under the General Data Protection Regulation (GDPR), organisations which carry out a « cross border data processing » must appoint a Lead Data Protection Authority.  This appointed Supervisory Authority  will act as their main point of contact.

Although initially introduced to lower the administrative burden of organisations, which previously had to deal with each Member State’s authority, the one-stop-shop provisions were the main point of disagreement during the negotiation of the GDPR and as a result, have become complex.  

Indeed, these provisions only apply to cross border processing activities and not to the organisation’s whole processing activities. Besides, if the organisation’s main establishment for this processing activities is outside of the EU, the organisation will not benefit from these provisions. It also entails the formal appointment of the Lead Auhtority where necessary.