Responsabilidad bajo el RGPD

Now that we have covered all the essentials about GDPR, there are still some issues that need to be considered on a more global level. One of them is the responsibility of processors and controllers. All persons processing personal data must comply with the requirements set out in the GDPR, and must also be able to demonstrate and prove that those requirements have been met. If you are familiar with audits, you will know what this entails. Once you have explained by what means you ensure compliance with the specific obligations, you must also demonstrate that you actually follow the relevant procedures and that you adequately monitor how they are carried out by your employees. This is the subject of this blog post.

A large amount of administrative work is to demonstrate that you are familiar with and understand all aspects of the GDPR, and that your own organization is compliant with the requirements. Implementation should be pragmatic but comprehensive, especially in small businesses, organizations and associations. You can find many tips on how to do this in the previous posts. In the future, you will need to keep your documentation up to date.

First, you must ensure that your organization has sufficient expertise. In organizations that have a Data Protection Officer (DPO), the responsibility is entrusted to the DPO and his or her staff. Even if you do not have a DPO, you need to be well informed and provide training to your employees.

Records of personal data processing operations are essential to demonstrate compliance. You are obliged to keep these records under the GDPR, which at the same time provide an ideal starting point for documenting how to ensure data protection. For each processing operation described, you must demonstrate that you have thought through the purpose and legal basis of the processing operation, that you have weighed the risk of a data breach, and that you have taken all appropriate security measures. Of course, it is also necessary to develop an appropriate procedure to ensure that this information remains complete. Each additional processing operation must be entered in the records. The DPO has an important role to play in this regard. He or she provides assistance and monitors whether the procedure is performed accurately and in a timely manner.

In the case of major projects, this preliminary examination can be further formalized in the form of a Data Protection Impact Assessment (DPIA). This is a formal analysis of a data processing operation whose purpose is to identify all potential privacy risks, list all protection measures and determine whether the purpose and legal basis of the processing operation cover the remaining risks. If an intensive processing operation involves special categories of personal data, a DPIA must be submitted to the data protection authority (DPA – in Belgium this is the Privacy Commission).

Of course, all measures taken in the area of security must also be properly documented. When conducting a data protection audit, you are expected to be able to immediately demonstrate which procedures are applicable, when the most recent version is current, the employees who apply each procedure, and whether these employees have been notified and know what to do. If any of the procedures include periodic checks, it is important to establish in one way or another that these checks are actually performed. It is best to keep technical log files and monitoring reports for some time. If manual checks are performed, it is necessary to create a short report or maintain a log, for example, in order to show when these checks were performed and by whom. In addition, the entire security system should be evaluated periodically (at least once a year) and adjusted to reflect changes in the organization, the tools and techniques used or the security solutions available.

In this context, you should pay special attention to the logging of incidents and data breaches. Any situation that conflicts with normal security procedures and any finding that exposes the existence of the risk of a data breach must be accurately recorded in an incident log. Obviously, the items indicated in this record need to be further investigated to determine their underlying cause. At the same time, actions are planned to reduce risk. Examples of measures that may be adopted include additional technical security measures, additional or modified procedures and controls, and new forms of notification or registration. This needs to be documented so that you can demonstrate your responsibility. While a complex monitoring system is not necessarily required for this purpose, it should at least have several well-organized records containing information on all incidents (including their analysis and agreed solutions), as well as all action items, their status and the person to whom responsibility has been assigned.

Special attention should be paid to contractual agreements with partners or suppliers. It is necessary to conclude data processing agreements with subcontractors to ensure that they also comply adequately with the legislation. It is a good idea to keep records of the subcontractors to whom you have entrusted your personal data processing operations, specifying precisely what each subcontractor has had to do and how you have come to an agreement about it. This can be linked to a specific contract. In addition, you should make sure that your own house is in order if you are a processor acting for a client. The processing operations must be entered in your records, although as the controller you do not need to enter as many details as the data controller. Again, it is essential that all crucial agreements are included in a data processing agreement.

Finally, it must be able to demonstrate that it is capable of guaranteeing the rights of the interested parties. It should establish an appropriate agreement on the procedure to be followed in the event that an interested party raises questions. It is best to keep records of some kind of all the activities you perform in this context. If you keep records of each request received from an individual, noting the date and time it was received and all subsequent actions taken, you will be able to monitor whether you have reacted in a timely manner and responded appropriately. It also means that you will always be able to demonstrate that you are complying with the legislation to the best of your ability if you are audited by the DPA or in the event of a complaint. Keeping a record of the line of reasoning that was followed is crucial, particularly if you are unwilling or unable to comply with the request.

Therefore, simple compliance with legislation is not enough. You also need to document it and be able to prove it. Finally, it is crucial that steps are taken prior to the start of all future projects to minimize potential risks. This will be the subject of the next installment of this blog.

This article has been extracted from
Group Joos