The European Union’s new data privacy law, known as the General Data Protection Regulation (GDPR), comes into effect on May 25 and brings with it several new challenges to businesses big and small.

From a consumer perspective, the situation is relatively straightforward: the new data privacy rules are meant to give EU citizens more control over how their personal information is used. However, from a business perspective, GDPR means many companies need to rethink their data processing, marketing and back of house operations when it comes to consumer data.

In this contribution, I will draw from the guidelines published by the European Commission to go into more detail about the key players involved in ensuring companies’ GDPR compliance and how their different roles are needed to implement

and enforce the new regulations in commercial enterprises.

GDPR introduces the concept of a company as data controller into EU law. The concept of data controller had been already in existence in several member states, but now there is going to be an EU-wide definition of this important role that also includes companies: “The data controller determines the purposes for which, and the means by which, personal data is processed.”

If an organisation decides why and how the personal data should be processed, then that organisation is the data controller. Employees processing personal data within the organisation do so to fulfil its tasks as data controller. A company is a joint controller when, together with one or more organisations, they jointly determine why and how personal data should be processed. Joint controllers must enter into an arrangement that plainly sets out their respective responsibilities for complying with GDPR, and the main aspects of this arrangement must be communicated to the individuals whose data is being processed.

An important distinction must be made between the data processor and the data controller. The data processor handles personal data only on behalf of the controller. The data processor is usually a third party that is engaged by the controller, this includes companies that offer IT solutions, such as cloud storage services.

The duties of the processor towards the controller must be clearly specified in a contract or another legal act, which should explain how personal data will be processed throughout the duration of the contract, including what happens to the date when the agreement is terminated. The data processor may only subcontract a part of its task to another processor or appoint a joint processor after receiving prior written authorisation from the data controller.

The data protection officer is responsible for helping the controller or the processor ensure the privacy and protection of the personal data they process. Their job is to inform and advise the controller or processor, as well as their employees, of their obligations under data protection law; monitor compliance with data protection laws and train staff involved in data processing operations. The DPO provide advices where a data protection impact assessment has been carried out and monitor its performance.

In addition to this, the DPO is the point-of-contact for individuals requesting information about the processing of their personal data and the exercise of their rights. The DPO must also cooperate with data processing authorities and act as a contact point for DPAs on issues relating to processing.

This officer must be allowed to act almost entirely independently of the organisation he or she works for, reporting directly only to the highest level of management of the organisation. The DPO must not receive any instructions from the controller or processor for the exercise of their tasks.

GDPR is based on the risk-based approach. This means that, in other words, companies or organisations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Accordingly, the responsibilities of a company that processes a large volume of data are greater than that of a company that handles a smaller amount.

For instance, the probability of hiring a data protection officer for a company or organisation processing a lot of data is higher than for one processing a small amount of data. At the same time, the nature of the personal data and the impact of the expected processing also play a role. Processing of a small amount of data, but which is of a sensitive nature, such as health data, would require the organisation to implement more stringent measures to comply with the GDPR. In all cases, the principles of data protection must be respected, and individuals must be allowed to exercise their rights.

These are the basics of what data controllers and data protection officers do and their importance under GDPR – there is a lot more detail involved in how they do it. GDPR also adopts a risk-based approach in how companies are expected to protect data. Basically, this means that the more data you process, the more safeguards you’ll need, but more stringent requirements also apply to small companies processing sensitive data.

More information about new rules and obligations for businesses and organisations that process client data can be found online at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.