GDPR obligations for data controllers
The General Data Protection Regulation (GDPR) is a new regulation on data protection that applies to all processing of personal data within the European Union. One of its key objectives is to improve personal data protection and the rights of data subjects.
We have gathered here the 10 most important things that a data controller must know about the new regulation. A data controller means any organisation for which the registry has been created and that controls it. A registry is any list of individuals that contains personifying information. Virtually all companies and other organisations are therefore data controllers.
The 10 most important things a data controller needs to know about the GDPR
How many subject access requests will be made?
No one can predict yet how many requests based on the GDPR will be made. It is likely, however, that almost every organisation will receive at least a few subject access requests.
Obligation to respond
Subject access requests should be met within a month. It is useful if the organisation can demonstrate when the subject access request has been made.
Security and confidentiality
The person making a subject access request must be identified reliably and the data transferred through a secure channel. It is equally important that the data does not end up in the wrong hands or that one individual does not cause another’s data to be erased.
The regulation applies to all data controllers and data processors
The GDPR applies to all parties processing personal data – businesses, public authorities and associations –, which means it affects advertising agencies, public day care centres and sport clubs alike.
The regulation applies to all personal information
The GDPR applies to all personal information, not just client-related data. For example employee information, event participant information and a list of housing cooperative members are personal information.
Different kinds of access requests
A data subject can request access to their personal data or request to have it erased, corrected, or its use restricted. They can also object to it or have it transferred from one system to another.
Fines and other sanctions
Supervisory authority can impose a warning or a reprimand, a temporary or definitive limitation including a ban of processing or administrative fine for a failure to comply with the regulation.
The collected information must be corrected without delay if the data subject so requests. If a data subject requests erasure all information must be deleted unless the organisation has a legal obligation to refuse.
The organisation or other data controller must be able to demonstrate compliance with the GDPR in all data processes.
Possibility to stand out positively
The GDPR can be turned from a challenge to a competitive advantage. Transparency, reliability and good service all give you a competitive edge now that privacy protection is in the spotlight.