Achieving compliance with the General Data Protection Regulation (GDPR) does not hard to be an arduous process. Reviewing chapters and their summaries can help organizations to understand the scope of the GDPR. 

PART 2: Dataflow, Transfers, Reports

In GDPR Summaries Part 1, we covered the first three chapters of the regulation and reviewed Articles 1-23.  Organized and broken down into sections - including a complete checklist-  part 2 discusses chapters 4-6 and covers Articles 24-59. The breakdown of those chapters and articles follows below

Chapter 4: Controller and Processor

This chapter, covering Articles 24-43, discusses quite a bit of information. Data Protection by Design is introduced and encourages organizations to think about looking at all enterprise products and how GDPR is worked into processes.

It also covers the Security of Processing, (Article 32) which explains how processors and controllers of data must implement specific measures to keep data secure. This is the largest and longest chapter of the GDPR.

Key takeaways
Article 25: Data Protection by Design and Default.  Organizations must take appropriate measures for the collection, processing, storage, and accessibility of data.
Article 32: Security of Processing. Change Management is the name and GDPR is the game. Safeguards must be implemented that prevents people with access to personal data from processing that data unless otherwise instructed. 
Article 33: Notification of a data breach to supervisory authority must occur within 72 hours of the breach discovery.
Article 34:  Communication of a personal data breach to the data subject must occur immediately. 
Article 35: Data Protection Impact Assessment. Risk must be assessed  and impact reviewed whenever new technologies are introduced. 

This chapter also discusses the requirements for personal data breach notifications, and the role, position, and tasks of the Data Protection Officer(DPO). 


Chapter 5: Transfering Data  

This chapter, covering Articles 44-50,  focuses on data being transferred from third countries or organizations to another, and how that data is protected.  

Key takeaways
Article 46: Transfers Subject to Appropriate Safeguards.  The controller or processor may transfer data if  safeguards have been provided.
Article 50: International Cooperation for the Protection of Personal Data.  Appropriate steps must be taken with international organizations, third countries and supervisory authorities.

Though this chapter is shorter than previous chapters, the importance of data transfer between third countries or international organizations should not be minimized.


Chapter 6: Independent Supervisory Authorities

This chapter focuses on requirements for EU member states. Article 59 is important to understand as annual reports must be generated on activities, and these reports must be available to the public, governmental authorities, and European Commission, and the European Data Board.  


Key takeaways
Article 57:  Specific tasks are required for the supervisory authority.  Monitoring and enforcing the GDPR along with full comprehension of the risks, rules, safeguards, and rights to processing must occur.
Article 59:  Activity Reports. Annual reporting is required for all activities related to GDPR compliance. Reporting which can "prove" compliance is essential, as these reports will be submitted to governmental and other authorities noted as required by the regulation.

Being able to identify and report changes within systems is necessary for compliance. 

In Part III of this series, we will cover liabilities, sanctions,  and provisions. To learn more about the GDPR and compliance for your organization download the complete GDPR checklist today.



Jacqueline von Ogden
Post by Jacqueline von Ogden
May 10, 2018
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".

About Cimcor

Cimcor’s File Integrity Monitoring solution, CimTrak, helps enterprise IT and security teams secure critical assets and simplify compliance. Easily identify, prohibit, and remediate unknown or unauthorized changes in real-time