How to demonstrate GDPR compliance

GDPR laws were introduced into legislation in 2016 and became legally enforceable in May 2018. The regulations apply across the European Union and protect an individual’s personal data. GDPR laws are in place to ensure organisations only collect and store the data needed for a permitted purpose and for a limited amount of time. Failure to comply with the regulations can have severe consequences. Organisations are responsible for demonstrating their GDPR compliance, so it’s important to know who is responsible for demonstrating GDPR compliance and Cyber Essentials certification for your organisation can take part in improving compliance.

Data protection roles under GDPR

Under GDPR legislation, there are key roles that can help determine who is responsible for demonstrating compliance:

Data subject

A data subject is the individual to whom the collected personal data belongs. Personal data refers to anything that can be used to identify an individual, including name, passport number, financial records, address or employment details.

Under GDPR legislation, data subjects have rights to ensure that their personal information is stored securely, that their right to privacy remains intact, and to prevent organisations from deviating from GDPR rules.

Data controller

A data controller is a person or organisation who decides how a data subject’s personal data will be collected and for what purpose. It’s the data controller‘s responsibility to:

  • Be accountable for lawfully collecting personal data.
  • Create strict security measures, such as encryption, to protect data from unlawful access.
  • Report data breaches if such an incident occurs.

Sometimes, there may be more than one data controller within an organisation. When Data Controllers decide on the purpose of personal data collection, they must ensure confidentiality and that no one or no organisation can access that personal data unauthorised or unlawfully.

Data controller - customer data contact centre

Data processor

A data processor is an individual or third party who processes gathered personal data at the data controller’s request. A data processor‘s primary responsibilities include:

  • Always acting under the specified role the data controller has given them.
  • Processing collected personal data if the data controller permits it.
  • Ensure that when processing data, GDPR is complied with.

Data protection officer

The data protection officer (DPO) is responsible for GDPR compliance throughout an organisation’s whole data collecting process. A data protection officer‘s responsibilities can include:

  • Advising organisations on appropriate measures to take in data collection strategies.
  • Inform organisations they have a responsibility to comply with GDPR laws.
  • Monitor compliance.

Appointing a DPO is only mandatory in one of three situations:

  1. When your organisation is a public authority or body;
  2. If processing data subjects on a large scale;
  3. If performing large scale processing of special categories of personal data and data relating to criminal conviction

Organisations may decide to assign someone already in their organisation in the role of DPO in addition to existing duties, rather than hire externally for a dedicated position.

Supervisory authority

As well as understanding who is responsible for demonstrating GDPR compliance within an organisation, national supervisory authorities help oversee GDPR compliance and personal data protection within EU countries.

Ireland’s supervisory authority is the Data Protection Commission. It is responsible for upholding the rights of Irish citizens to have their personal data protected under GDPR legislation.

GDPR compliance

The key principles of GDPR

There are seven key principles of GDPR that organisations involved in the collection, storage and processing of personal data must be aware of. This includes data from customers and clients, employees and contractors, or other individuals such as patients, students, or members relevant to your organisation.

Purpose limitation

Personal data collected by organisations should be used only for an explicit purpose. It should not be used for any other reason that contradicts the original purpose of gathering the data. However, according to GDPR Article 5, if personal data is archived for public interests, scientific or historical research purposes, or statistical reasons, this is still in line with the original intent of collecting the personal data.

Accuracy

GDPR regulations state that any personal data gathered must be correct and up to date. If collected data is inaccurate, the necessary steps need to be taken to immediately delete erroneous information and replace it with the correct data.

Data integrity and confidentiality

Data controllers are responsible for ensuring appropriate security measures are in place to protect the integrity and confidentiality of personal data. These security measures must also protect against accidental loss and damage situations.

Storage limitation

This GDPR principle outlines that personal data should kept no longer than necessary for processing purposes and be removed if no longer need for its original stated purpose.

Data minimisation

Following the data minimisation principle means only gathering the data needed and not collecting data that is either unnecessary or hasn’t been authorised to be collected.

Lawfulness, fairness and transparency

The sixth GDPR principle is one of lawfulness, fairness, and transparency. This means that it is essential for data controllers and data processors to adhere to their responsibilities in protecting the data subject’s personal data to comply with the law.

There is an added seventh principle in the GDPR legislation. This principle focuses on the accountability of the data controller and making sure they conduct their duties in a way that adheres to the other six GDPR principles. The data controller is the person responsible for demonstrating GDPR compliance.

What GDPR means for organisations

If an organisation fails to comply with GDPR, it could face legal consequences including bans on processing data, and fines of up to 20 million Euros, or 4% of an organisation’s annual worldwide turnover, depending on which is the greater amount.

Training who is responsible for demonstrating GDPR compliance

Our Cyber Essentials certification can help your organisation determine who is responsible for demonstrating GDPR compliance. Cyber Essentials covers areas such as access control and security configuration. Cyber Essentials certification shows your commitment to protecting personal data, compliance with key GDPR and data protection legislation, and helps your organisation win contracts where certification in Cyber Essentials is necessary.

You may also be interested in our ISO 27001 Introduction Training. This one-day workshop provides a foundational and practical understanding of Information Security, including information security measuring and best practice standards.
who is responsible for demonstrating GDPR compliance - main image

Social
Share

Related ISO Certifications

Certification Europe small Rosette logo symbol

ISO 9001

Quality Management System

Quality Management System ISO 9001 is an internationally recognised global standard that confirms an …
Certification Europe small Rosette logo symbol

ISO 14001

Environmental Management System

ISO 14001 Environmental Management System ISO 14001 is the global standard for organisations wanting …
Certification Europe small Rosette logo symbol

ISO 45001

Occupational Health and Safety

Occupational Health and Safety ISO 45001 is an international standard that specifies requirements for …
Certification Europe small Rosette logo symbol

ISO 50001

Energy Management System

Energy Management Systems ISO 50001 is a global standard for organisations looking to improve …
Certification Europe small Rosette logo symbol

ISO 27001

Information Security Management Systems

Information Security Management Systems ISO 27001 is the international standard for managing risks related …
Certification Europe small Rosette logo symbol

ISO 22301

Business Continuity Management Systems

Business Continuity Management Systems ISO 22301 is the business continuity management system (BCMS) standard. …
Certification Europe small Rosette logo symbol

ISO 20000-1

IT Service Management Systems

IT Service Management Systems ISO 20000-1 Service Management is the international standard for quality …
Certification Europe small Rosette logo symbol

ISO 13485

Medical Devices

Medical Devices ISO 13485 is a globally recognised quality standard that identifies the requirements …
Certification Europe small Rosette logo symbol

ISO 27701

Privacy Information Management Systems

Privacy Information Management Systems ISO 27701 is the global standard for Privacy Information Management …
Certification Europe small Rosette logo symbol

ISO Standard Certification Transfer

ISO Certification Transfers Transfer your ISO Certification to Certification Europe Get in touch ISO …
Certification Europe small Rosette logo symbol

BS 10012

Personal Information Management System

Personal Information Management System BS 10012 provides a framework for a Personal Information Management …
Certification Europe small Rosette logo symbol

ISO 27018

Protection of Personally Identifiable Information (PII)

Protection of Personally Identifiable Information (PII) ISO 27018 is the global standard organisations use …
Certification Europe small Rosette logo symbol

ISO 27017

Cloud Data Protection

Cloud Data Protection ISO 27017 is the global standard used by organisations to strengthen …
Previous
Next

Related Insights

How to handle a subject access request (SAR)

Read our guide to find out about quality management, what a Quality Management System (QMS) is and…

How to save energy with a carbon footprint calculator

Read our guide to find out about quality management, what a Quality Management System (QMS) is and…
Previous
Next