The GDPR (General Data Protection Regulation) places many obligations on organisations that process personal data – which is pretty much all of them. Unsurprisingly, that can feel overwhelming.

If you need a bit of help understanding what you need to do to comply with the Regulation – whether the UK or the EU version – this blog post provides a summary of ten key GDPR requirements:

  1. Lawful, fair and transparent processing
  2. Limitation of purpose, data and storage
  3. Data accuracy, integrity and confidentiality
  4. Data protection impact assessment
  5. Privacy by design
  6. Controller–processor contracts
  7. Data subject rights
  8. Data protection officer
  9. International data transfers
  10. Personal data breach reporting

 

1. Lawful, fair and transparent processing

The first data protection principle (in Article 5) demands that organisations document a lawful basis, such as legitimate interest or consent, for processing personal data.

Data subjects must also be aware of what personal data you’re collecting and why you’re collecting it. Many organisations communicate that information via a privacy notice, though you can choose a different method.

Your processing activities must also be fair – that is, not unduly detrimental, unexpected or misleading to data subjects.

 

2. Limitation of purpose, data and storage

The second, third and fifth data protection principles reflect another key tenet of the Regulation: that you minimise your personal data collection and processing.

You must:

  • Only collect and process personal data for specific, declared purposes (‘purpose limitation’);
  • Minimise the amount of personal data you collect and process (‘data minimisation’); and
  • Destroy personal data you no longer need (‘storage limitation’).

 

3. Data accuracy, integrity and confidentiality

The fourth and sixth data protection principles are about data accuracy and data security.

Specifically, you must ensure that personal data you hold is accurate and complete, otherwise it’s not fit for purpose. If a data subject points out an inaccuracy (by exercising their rights – more on that below), you must correct it.

You must also implement technical and organisational measures to keep the personal data you’re holding and processing secure (Article 32). The Europrivacy™/® certification scheme outlines concrete checks and controls to ensure your measures are appropriate and adequate.

 

4. Data protection impact assessment

DPIAs (data protection impact assessments) help organisations identify and minimise risks to data subjects’ rights and freedoms in data processing activities.

The GDPR mandates them for high-risk processing activities. For specific examples of such activities, the Article 29 Working Party guidelines, which are endorsed by the EDPB (European Data Protection Board), are a good place to look.

Article 35(3) of the GDPR also elaborates, specifying that a DPIA is most likely required for:

  • Systematic and extensive automated processing, on which significant decisions are based;
  • Processing sensitive data or criminal offence data on a large scale; and
  • Systematic monitoring of publicly accessible places on a large scale.

 

5. Privacy by design

Privacy (and data protection) by design is an approach in which you consider and integrate data privacy and protection from the earliest stages of a project and maintain them for the duration of the project’s lifecycle.

The steps you take, typically in the form of risk-appropriate technical and organisational measures, should ensure that data privacy and protection become part of business as usual.

The concept of ‘privacy by design’ isn’t new but has attracted more attention in since the GDPR mandates it in Article 25 (‘data protection by design and by default’).

The idea is that the technical and organisational measures required under Article 32, as well as the data protection principles, are integrated into your processing activities from the get-go.

 

6. Controller–processor contracts

Article 28 contracts, between controllers and processors, are another important but overlooked aspect of GDPR compliance.

They must clearly identify, among other things:

  • The controller;
  • The processor; and
  • The processor’s responsibilities for data processing and security.

Article 28(3) provides more detail on what the contract must stipulate, including that the processor:

  • Only processes personal data on documented instructions from the controller;
  • Takes appropriate security measures as per Article 32; and
  • Returns all personal data when the contract ends.

 

7. Data subject rights

Chapter III (Articles 12–22) lays out eight data subject rights, which individuals may exercise:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision-making, including profiling

These rights aren’t all absolute, but if you don’t accommodate them, you must still respond to data subjects within one month. This includes DSARs (data subject access requests).

 

8. Data protection officer

DPO (data protection officer) is an independent data protection expert who:

  • Advises on the GDPR requirements;
  • Monitors the organisation’s GDPR compliance;
  • Assists with some aspects of data protection; and
  • Acts as a point of contact for supervisory authorities.

The requirements for a DPO are laid out in Articles 37–39, including when to appoint one:

  • You’re a public authority or body.
  • Your core activities require regular and systematic monitoring of data subjects on a large scale.
  • Your core activities involve large-scale processing of sensitive personal data or data relating to criminal convictions or offences.

 

9. International data transfers

UK GDPR

To send personal data outside the UK – i.e. to make a ‘restricted transfer’ – data controllers and processors must provide an adequate level of security to protect:

  • The personal data being processed; and
  • The rights and freedoms of data subjects.

Organisations subject to the UK GDPR must also consider relevant laws of the countries involved and prevent the personal data from being accessed by other entities without the data subject’s knowledge.

There are three conditions for the transfer to be considered ‘restricted’ under the UK GDPR:

  1. The personal data you want to transfer is subject to the UK GDPR.
  2. You’re initiating and agreeing to send personal data to (or make it available to) a recipient outside the UK.
  3. The recipient is a separate, legally distinct organisation (or individual) from you.

 

EU GDPR

Under the EU GDPR, the requirements are broadly the same, except:

  • The data controller/processor linked to processing activity is subject to the EU GDPR.
  • The controller/processor transfers the data, or makes it available to, another organisation.
  • That organisation is outside the EEA, or is an international organisation.

Learn more about transferring personal data under the GDPR.

 

10. Personal data breach reporting

Data breaches can happen despite your best efforts.

Should you suffer one, and the breach presents a risk to the rights and freedoms of data subjects, the GDPR (Article 33) requires the data controller to report it to its supervisory authority within 72 hours of becoming aware of the breach.

The controller must also notify affected data subjects “without undue delay” if the risk to their rights and freedoms is high.

Should a data processor become aware of the breach, it must notify the data controller, also “without undue delay”.