Mies selaa tabletilla verkkosivua
Mies selaa tabletilla verkkosivua

GDPR obligations for data controllers

The General Data Protection Regulation (GDPR) is a new regulation on data protection that applies to all processing of personal data within the European Union. One of its key objectives is to improve personal data protection and the rights of data subjects.

We have gathered here the 10 most important things that a data controller must know about the new regulation. A data controller means any organisation for which the registry has been created and that controls it. A registry is any list of individuals that contains personifying information. Virtually all companies and other organisations are therefore data controllers.

The 10 most important things a data controller needs to know about the GDPR

  1. How many subject access requests will be made?

    No one can predict yet how many requests based on the GDPR will be made. It is likely, however, that almost every organisation will receive at least a few subject access requests.

  2. Obligation to respond

    Subject access requests should be met within a month. It is useful if the organisation can demonstrate when the subject access request has been made.

  3. Security and confidentiality

    The person making a subject access request must be identified reliably and the data transferred through a secure channel. It is equally important that the data does not end up in the wrong hands or that one individual does not cause another’s data to be erased.

  4. The regulation applies to all data controllers and data processors

    The GDPR applies to all parties processing personal data – businesses, public authorities and associations –, which means it affects advertising agencies, public day care centres and sport clubs alike.

  5. The regulation applies to all personal information

    The GDPR applies to all personal information, not just client-related data. For example employee information, event participant information and a list of housing cooperative members are personal information.

  6. Different kinds of access requests

    A data subject can request access to their personal data or request to have it erased, corrected, or its use restricted. They can also object to it or have it transferred from one system to another.

  7. Fines and other sanctions

    Supervisory authority can impose a warning or a reprimand, a temporary or definitive limitation including a ban of processing or administrative fine for a failure to comply with the regulation.

  8. Information correctness

    The collected information must be corrected without delay if the data subject so requests. If a data subject requests erasure all information must be deleted unless the organisation has a legal obligation to refuse.

  9. Accountability

    The organisation or other data controller must be able to demonstrate compliance with the GDPR in all data processes.

  10. Possibility to stand out positively

    The GDPR can be turned from a challenge to a competitive advantage. Transparency, reliability and good service all give you a competitive edge now that privacy protection is in the spotlight.