Data controller obligations under GDPR

aat comment

In my last article I covered the difference between data controllers and data processors.

You’ll know that as an accountant some of the time you’ll be a data controller and some of the time, a processor.

So let’s look at your obligations as a data controller in more detail

A quick reminder of the Data Protection Act (DPA) definition – a data controller is defined as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”.

In short they decide the ‘why’ and the ‘how’ data is processed and, except in a very limited circumstance, they are required to be registered with the Information Commissioner’s Office (ICO) as a data controller.

So let’s look at your obligations as a data controller under the DPA

  • Be registered with the ICO as a data controller.
  • Have a data protection policy.
  • Be accountable for compliance with the legislation.
  • Ensure that personal data is only obtained for a specified and lawful purpose; which is usually detailed in a fair processing notice and supported by obtaining consent from the individual.
  • Ensure that personal data collected is kept accurate and up-to-date.
  • Ensure that the personal data in only processed in a way that is compatible with the original purpose for which it was collected.
  • Provide an individual with access to the information held about them (Subject Access Request).
  • Ensure that the personal data collected is adequate, relevant and not excessive.
  • Protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. These protection measures must ensure a level of protection appropriate to the data.
  • Ensure that data is not transferred outside of the European Economic Area (EEA) unless adequate protections are in place.

So what’s different from 25th May 2018 when GDPR applies?

The data controller’s obligations include the above and are extended to include:

  • Being able to demonstrate how and when they obtained a data subject’s consent to processing their personal data. Consent may be withdrawn by data subjects at any time.
  • Be able to verify parental consent where it’s required for the processing of a young person’s data.
  • Remove personal information from your systems when required to by the data subject and notify other data controllers with whom you have shared the data.
  • Having written agreements with data processors who process data on your behalf.
  • Obtain from their data processors sufficient guarantees as to their security controls.
  • Ensure that any person acting under their authority does not process data except on the controller’s instructions.
  • Undertake privacy impact assessments when considering changes to their systems or proposed systems.
  • Appoint a Data Protection Officer if required by the type of processing undertaken.
  • It will be mandatory to report a personal data breach to the ICO under the GDPR if it’s likely to result in a risk to people’s rights and freedoms, not later than 72 hours after having become aware of it. The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to people involved. In addition, if there’s the likelihood of a high risk to people’s rights and freedoms, the controller will also need to report the breach to the individuals who have been affected.
  • Maintain an internal breach register for those breaches that are not reportable.
  • To potentially pay compensation in the event of damage or distress to an individual as a result of the data controller’s negligence when using personal information.

The obligations of a Data Controller have changed as a result of the GDPR but should be embedded into your methods of working.

Create a ticklist with the obligations and then ensure you meet the requirements. Where you do not, implement an action plan to ensure that you and your business are on the way to compliance.

Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.

Related articles