GDPR and supervisory authority

What will effectively change in 2018?

You, as a company, are obligated to adhere to following expectations:

  • notify data breaches
  • assign a data privacy officer (role)
  • Execute data protection impact assessment (DPIA)
  • Involve supervisory authority prior to processing of personal data

When the GDPR goes into effect, the supervisory authority will:

  • Monitor and enforce compliance
  • will and is allowed to perform inspections
  • Issue warnings and penalties
  • May even impose limitation or bans of processing

Data Subject

but what about obligations of and towards the data subject?
demonstrate compliance
You should be able to demonstrate you are compliant, as the data subject may request to be informed about all processing.
implement privacy by design
Privacy should be embedded in your business' lifecycle, as any data subject may submit an inquiry about your processing.
Processors and Controllers
You must ensure there are written procedures for any processing and controllers keeping a documented track record of any processing. A data subject is allowed to request deletion of its personal data from all of your systems.
Agreement between processor and controller
Ensure clear agreements are in place, related to scope and use for any relationship between processor and controller. A data subject may want to take information to another organisation, so any transition requires end to end processing of the request.
Privacy and security
Controller and processors are liable for securing the data. Any breach is to be communicated where proof is required that all necessary controls are in place and actions are taken to contain and close the breach.
A data subject may request you to stop processing its data...
To fulfil this request the earlier mentioned topics need to be organized well. Keep in mind that the data subject gained a lot more rights in the new GDPR where timelines to adhere to these requests are short.