GDPR Obligations on Companies/Organizations


When the General Data Protection Regulation (GDPR) was introduced by the European Union (EU) on May 25, 2018 it brought with it a new set of rules and obligations that had to be adhered to by companies and organisation that manage the personal data of EU citizens.

The Creation of Adequate Processing Systems for Data Management

Controllers are obliged to implement a data management system with adequate measures in place to comply with GDPR. With the dawn of GDPR came the concept of privacy by design where data protection measures are taken into account throughout the entire design process.

Certification is available to indicate that a data management system is GDPR compliant from the relevant local data protection supervisory authority.

 Using Data Processors that are Legally Compliant

If data processing tasks are assigned to a processor rather than a data controller then the processor must be deemed GDPR compliant before they are put to use.

A data processor might be one of the following: payroll companies, accountancy firms or a human resources agency. Any of these could, potentially, store or process personal information.

An official contract must be in place between the data controller and the data processor which outlines all of the necessary legal obligations.

Handling and keeping records of processing activities.

If a company either has more than 250 members of staff or processes sensitive personal information that it must maintain a record of all processing activities it carries out in line with GDPR rules.

This record must include the identification and contact details of the controller, the aim of processing, defined categories of data subjects and personal data, the categories of data recipients, details of transfers to non-EU countries and relevant data privacy legislation of that country, data time limits and an outline of the data security measures in place.

Securing all data from possible breaches and capture by unauthorized people.

Security measures should be implemented that seek to keep personal data secure. These must protect the personal data from accidental or unlawful destruction of stored data or unauthorized disclosure, access or alteration.

Reporting Data Breaches

GDPR states that the relevant local data protection authority must be notified of a data breach within 72 hours of the controller first becoming aware of the breach. This is the case where the breach could result in a risk to the rights and freedoms of the data subject(s).

Constant data impact assessments.

A data protection impact assessment must be carried out by all data controllers that intends to conduct high-risk data processing. This data protection impact assessment must include a description of the process and the reason for it, an assessment of the necessity of the processing, an assessment of the possible dangers to the rights and freedoms of the data subjects and a list of all of the measures used to address the stated risks.

A review should also be conducted after the processing begins.

Designate a Data Protection Officer (DPO).

A Data Protection Officer (DPO) must be appointed if an organization is a public body, has core activities that includes monitoring of data subjects on a large scale or special categories of data are being managed.

If one or more of these conditions are in place than a DPO must be appointed. The rules for appointing a DPO are as follows:

  • The individual appointed has the correct professional experience and expert. knowledge on data protection legislation.
  • The DPO may be an internal/existing member of staff appointed to the role.
  • Contact details for the DPO must be submitted to the data supervisory authority.
  • Resources must be made available so the DPO can complete their tasks properly.
  • The DPO should report to the upper levels of company/organization management.
  • The DPO cannot perform any task/role that is in conflict with their role.

Compliance with Codes of Conduct and Certification

Associations and other bodies representing controllers and processors may prepare codes of practice that will state how the GDPR should be complied with. Draft codes of conduct must be submitted to the Data Protection Commission for approval.

Transfer of Data Outside of the EU

Personal data that is being transferred external to the EU or to an international organisation when the EU has deemed that the recipient country has an adequate level of data protection in existence. Should the transfer to an unapproved country be deemed necessary then the data controller or processor must see to it that all appropriate safeguards are in place.


About the author


Editorial Staff

Add Comment

Click here to post a comment