Internal GDPR Responsibilities

Responsibilities of the Controller

According to the GDPR controllers should ensure to implement appropriate technical and organizational process to be in compliance with the GDPR, additionally controllers should able to demonstrate those technical and organizational process are accordance with GDPR. These changes may include …

  1. implementations of data protection policies.
  2. adherence to code of conduct defined in the GDPR
  3. adherence to certification process defined in the GDPR

The controller also subject to following two principles:— Data protection by design According to this principle, at the time of determining the purpose of data processing (planning time) and at the time of actual data processing itself (execution time) controllers should implement appropriate technical and organizational measures, few of the most important measures are given below.

  • Pseudonymization of personal data.
  • Encryption of personal data.
  • Adhere to CIA security principles: Confidentiality, Integrity, and Availability.
  • Ability to restore the data in case of physical or technical incident.
  • Ensure the resilient nature of the processing system.
  • Ability to support audits, inspections and other security measures.

— Data protection by default According to this principle, controllers should only processes personal data required for current purpose of the processing, this also implies collection of only required data and store them and store them only for required duration.

The controllers should only use processors who can provide guarantee and demonstrate their in compliance with the GDPR, the GDPR code-of-conduct and certification elements are helpful to make such decisions. Also controllers should ensure processors process data based on the exact instruction provide by the controller.

The controller should maintain record of data processing including the following information.

  1. Name and contact details of the controller, any representative or any data protection officer (DPO).
  2. Purpose of the data processing.
  3. Type of data and categories of data subjects.
  4. Whether the data will be transferred to 3rd party.
  5. Whether the data will be transferred to 3rd party country.
  6. How long data will be kept within the controller.
  7. Technical and organizational security measures followed by the controller.

Conducting a data protection impact assessment (DPIA) depending to the nature of the data processing is also a responsibility of the controller, we will discuss impact assessment in a separate section.

Responsibilities of Processor

  • Processing of personal data by a processor should be always based on documented instructions from a controller.
  • A processor should able to demonstrate their GDPR compliance in data processing to controllers and to supervisory bodies.
  • A processor should not engage with another processor without written approval from the controller.
  • If a processor is subject for any special data transfer regulations from EU/Member state, it should communicate those regulations to the controller.
  • People who accessing personal data from processor’s side should commit to ensure the confidentiality.
  • The processor should assist the controller to fulfill the requests from individuals.
  • The processor should assist the controller to be in compliance with the GDPR regulations.
  • The processor should cooperate with the supervisory bodies.
  • Based on controller’s choice the processor should able to delete any stored personal data.

The processor should maintain record of data processing including following information.

  1. Name and contact details of the processor, associated controllers, any representative or any data protection officer (DPO).
  2. Purpose of the data processing of each controller.
  3. Type of data and categories of data subjects.
  4. Whether the data will be transferred to 3rd party.
  5. Whether the data will be transferred to 3rd party country.
  6. How long data will be kept within the controller.
  7. Technical and organizational security measures followed by the controller.