Additional Business Obligations of GDPR
Along with fulfilling consumers' subject rights requests and enabling their consent preferences, your business will need to fulfill an additional set of organizational obligations to comply with GDPR. Here are these business requirements in more detail.
Articles 12-14 (opens in a new tab) mandate that businesses must provide a clear and transparent Privacy Notice to consumers about its data processing practices. Privacy Notices must be free, written in plain English, and should be easily accessible on your business website.
If your company is directly collecting the personal data of consumers, the Privacy Notice should include:
- The identity and the contact details of the controller and the controller’s representative;
- The contact details of the data protection officer;
- The purposes of processing personal data, as well as the legal basis;
- The legitimate interests of processing by the controller or by a third party;
- The recipients or categories of recipients of the personal data;
- If the controller intends to transfer personal data to a third country or international organization, the existence or absence of an adequacy decision by the Commission, and via what appropriate or suitable safeguards;
- The period for which the personal data will be stored, or the criteria used to determine that period;
- The ability for individuals to exercise their data subject rights;
- The ability for individuals to withdraw consent at any time;
- The right to lodge a complaint with a supervisory authority;
- Whether the personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data, and the possible consequences of failure to provide the data;
- The existence of automated decision-making, including profiling, meaningful information about the logic involved, and the significance and potential consequences of such processing for the data subject.
To make sure you're complying with GDPR, work with your legal team to ensure you're providing all of the necessary information on your Privacy Notice.
Article 25 (opens in a new tab) of GDPR details Privacy by Design (PbyD) as a foundational data privacy principle and practice. PbyD considers the privacy of the user in the product or services' design at the outset; it's a proactive approach to privacy rather than a reactive one.
Practicing PbyD will ensure that the collection and processing of consumers' personal data is done with the users' privacy in mind. Examples of PbyD include two of the above seven principles of GDPR: data minimization and purpose limitation.
Again, your business should only collect, process, and retain users' personal data for specific and legitimate business purposes. Once the purpose has been completed, your business should delete the data in a secure and timely manner.
Privacy by Design will help your business ensure compliance with GDPR by minimizing the amount of data your business stores. The less personal data your business has, the lower the risk of potential data misuse, GDPR violations, and fines from data protection authorities.
Article 28 (opens in a new tab) of GDPR goes over requirements for data processing agreements, also called "data processing contracts" in the U.S. Under this mandate, controllers must enter into legally binding contracts with data processors, or third-parties that process data on behalf of the controller.
These contracts should establish: what data is being processed, the purpose of processing, for how long, the type of personal data and category of data subjects, and the responsibilities of both the controller and processor.
Contracts between the controller and processor must legally obligate the processor to follow the controller's instructions and assist the controller in demonstrating compliance with GDPR. If your business works with data processors, enter into data processing agreements with each of them.
Under Article 30 (opens in a new tab) of GDPR, both controllers and processors must regularly document records of processing activities (RoPAs). A RoPA is a data processing inventory. It must include information about your business' data processing activities, such as:
- The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- The purposes of the processing;
- A description of the categories of data subjects and of the categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- Transfers of personal data to a third country or an international organization, including the identification of that third country or international organization;
- Data retention timeline;
- Your business' technical and organizational security measures.
RoPAs are used to demonstrate compliance with GDPR. Your business must be able to produce a record upon the request of a regulatory authority. This is usually a manual, time-consuming, and labor-intensive process, but Ethyca can help you automate this with a click of a button. More on that later
Articles 37-39 (opens in a new tab) cover a business' obligation to designate a data protection officer (DPO). A DPO's responsibility is to ensure your business complies with GDPR's regulations.
Specific DPO duties include:
- Educating employees on GDPR requirements;
- Overseeing compliance with GDPR;
- Advising on data protection impact assessments;
- Cooperating with the enforcement authority;
- Act as the point of contact with the enforcement authority.
If your business is not based in the EU, but collects and processes EU citizens' data, it must designate a GDPR representative based in the EU (Article 27). This representative should act as a DPO would to help your business achieve and maintain compliance with GDPR.