Achieving compliance with the General Data Protection Regulation (GDPR) does not hard to be an arduous process. Reviewing chapters and their summaries can help organizations to understand the scope of the GDPR.
PART 2: Dataflow, Transfers, Reports
In GDPR Summaries Part 1, we covered the first three chapters of the regulation and reviewed Articles 1-23. Organized and broken down into sections - including a complete checklist- part 2 discusses chapters 4-6 and covers Articles 24-59. The breakdown of those chapters and articles follows below
Chapter 4: Controller and Processor
This chapter, covering Articles 24-43, discusses quite a bit of information. Data Protection by Design is introduced and encourages organizations to think about looking at all enterprise products and how GDPR is worked into processes.
It also covers the Security of Processing, (Article 32) which explains how processors and controllers of data must implement specific measures to keep data secure. This is the largest and longest chapter of the GDPR.
Key takeaways
Article 25: Data Protection by Design and Default. Organizations must take appropriate measures for the collection, processing, storage, and accessibility of data.Article 32: Security of Processing. Change Management is the name and GDPR is the game. Safeguards must be implemented that prevents people with access to personal data from processing that data unless otherwise instructed.Article 33: Notification of a data breach to supervisory authority must occur within 72 hours of the breach discovery.Article 34: Communication of a personal data breach to the data subject must occur immediately.Article 35: Data Protection Impact Assessment. Risk must be assessed and impact reviewed whenever new technologies are introduced.
This chapter also discusses the requirements for personal data breach notifications, and the role, position, and tasks of the Data Protection Officer(DPO).
Chapter 5: Transfering Data
This chapter, covering Articles 44-50, focuses on data being transferred from third countries or organizations to another, and how that data is protected.
Key takeaways
Article 46: Transfers Subject to Appropriate Safeguards. The controller or processor may transfer data if safeguards have been provided.Article 50: International Cooperation for the Protection of Personal Data. Appropriate steps must be taken with international organizations, third countries and supervisory authorities.
Though this chapter is shorter than previous chapters, the importance of data transfer between third countries or international organizations should not be minimized.
Chapter 6: Independent Supervisory Authorities
This chapter focuses on requirements for EU member states. Article 59 is important to understand as annual reports must be generated on activities, and these reports must be available to the public, governmental authorities, and European Commission, and the European Data Board.
Key takeaways
Article 57: Specific tasks are required for the supervisory authority. Monitoring and enforcing the GDPR along with full comprehension of the risks, rules, safeguards, and rights to processing must occur.Article 59: Activity Reports. Annual reporting is required for all activities related to GDPR compliance. Reporting which can "prove" compliance is essential, as these reports will be submitted to governmental and other authorities noted as required by the regulation.
Being able to identify and report changes within systems is necessary for compliance.
In Part III of this series, we will cover liabilities, sanctions, and provisions. To learn more about the GDPR and compliance for your organization download the complete GDPR checklist today.
