This last module sets out some of the new legal obligations of data controllers and processors imposed by the European Regulation.
The European Regulation imposes new obligations that will have a considerable impact on any entity that has to manage personal data: companies, associations, public bodies as well as their subcontractors.
And the principle of "Privacy by Design" is one of these new obligations. Because with the GDPR, any project must integrate data protection right from the design stage: what data must be collected, for what purpose, what information must be transmitted to clients or prospects, must their consent be obtained? Does a privacy impact assessment have to be carried out? In view of all the data processed, it is imperative to involve the DPO from the very beginning of the project.
The DPO is the Data Protection Officer. He or she must be appointed by companies, as soon as data processing is regularly carried out or the data concerned are sensitive.
The DPO is the primary contact person for the Control Authority and ensures that the regulations are complied with.
To carry out his mission, he orchestrates awareness-raising, advisory, risk assessment and control activities among employees.
The DPO is also responsible for supervising the register of processing operations, another new obligation of the European Regulation, for companies and their subcontractors. This register must record precise information on the processing operations carried out in the company: contact details of the controller, purposes, recipients of the data, storage period, hosting and possible transfers, etc.
Because companies must prove that they comply with the regulations: this is the principle of accountability.
How can this be done?
By adopting internal rules and appropriate measures to ensure that each processing operation is carried out in compliance with the European Regulation, and by being able to demonstrate this to the Control Authority: documentation, audits, risk analyses, etc.
Everything must be done to protect the personal data of customers and employees! This is another very important point of the Regulation: security! The novelty is that in the event of a security leak or breach, the entity has 72 hours to notify the competent Control Authority and inform the persons concerned in the event of a high risk to their privacy.
As this time limit is very short, subcontractors, for their part, must be reactive and notify their client of any data breach as soon as possible! Data security is therefore raised a notch with the European Regulation, and must be guaranteed in all departments of any organisation, as well as in its subcontractors.
And this is not the only novelty for subcontractors, who must now assist and advise their customers in their compliance:
And, as with data controllers, their responsibility is engaged and the risk of sanctions is present.
One last thing: in principle, transfers of personal data outside the territory of the European Union are prohibited unless the country or the recipient provides an adequate level of protection. Everyone's investment is therefore essential in order to comply with these new obligations!
The DPO is here to help you!