GDPR Requirements


GDPR RequirementsAlthough the Data Protection Directive includes some provisions towards accountability, such as ensuring compliance with the main data quality principles and implementing appropriate measures to protect data, the General Data Protection Regulation provides more specific provisions to ensure accountability.

The accountability provisions of the GDPR include taking a risk-based approach, conducting data protection impact assessments and appointing a Data Protection Officer in certain cases.

Companies should have reviewed existing policies and data processes to identify gaps and incorporate an effective accountability programme.  Senior management should be aware of the requirements and ensure a fully compliant programme is in place.  A Data Protection Officer should be appointed if one is required.  Further information on the risk-based approach, Data Protection Impact Assessments, Prior Consultations and Data Protection Officers is provided below.

Risk Analysis


The GDPR introduces a risk-based approach that involves assessing the risks presented by data processing activities and responding appropriately.  This should take into account the nature, scope, context, purpose of the processing and the potential risks to the rights and freedoms of individuals.  The relevant obligations for ‘high risk’ processes are notifications of breaches, conducting a data protection impact assessment and prior consultations with Data Protection Authorities.

Data Protection Impact Assessments


Types of processing or processing operations that are likely to have a high risk to the rights of individuals, particularly when using new technology, require the controller to carry out an assessment of the impact in advance.  This includes processes that involve automated processing, such as profiling, that leads to decisions that can have a legal effect on individuals, or large scale processing of personal data relating to special categories of data or criminal convictions.  The Data Protection Officer, where designated, can advise on the assessment.

The supervisory authority will provide a list of the kind of processing operations that will require a Data Protection Impact Assessment.  Assessments should include a systematic description of the processing operation, its purpose and assess the risks to the rights and freedoms of individuals.  It should also include the measures that could be taken to mitigate these risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.

Prior Consultation


Where a Data Protection Impact Assessment indicates the process poses a high risk, the controller must consult the supervisory authority as described in Article 36 ‘Prior consultation’.  The supervisory authority will provide written advice to the controller, and to the processor when applicable, if it considers the intended processing will infringe the Regulation.  This will be received within eight weeks of the request for consultation, the period may be extended by a further six weeks if required.

When consulting the supervisory authority, the controller will provide the supervisory authority with:

  • the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings
  • the purposes and means of the intended processing
  • the measures and safeguards provided to protect the rights and freedoms of data subjects
  • where applicable, the contact details of the Data Protection Officer
  • the data protection impact assessment
  • any other information requested by the supervisory authority.

Data Protection Officers


A Data Protection Officer (DPO) is required to be designated by controllers and processors where:

  • the processing is carried out by a public authority or body (excluding courts).
  • the core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale.
  • the core activities consist of processing special categories of data in Article 9 or 10 on a large scale.

EU Member States may also make the appointment of a DPO mandatory by law under other circumstances.

It is possible for a group of undertakings to appoint a single DPO provided the officer is easily accessible.  The DPO may be employed on a permanent or contract basis, and the contact details of the DPO will be published and provided to the supervisory authority.

The DPO needs to be involved in all issues related to the protection of personal data and will report directly to the highest management level of the controller or processor.

The role of the DPO includes informing and advising the controller or processor and relevant staff of their obligations regarding the General Data Protection Regulation, and any other relevant data protection provisions.  They must also monitor compliance with the GDPR and internal policies relating to the protection of personal data.

The DPO should also advise the controller when a Data Protection Impact Assessment is being carried out and monitor its performance.  If the assessment indicates that the processing would result in high risk and a prior consultation is made, the DPO will act as the main contact point with the supervisory authority to discuss this, as well as any other relevant matters.

show all beach prevention

Beach Prevention

Data minimisation and privacy-preserving techniques in AI systems 0

Reuben Binns, our Research Fellow in Artificial Intelligence (AI), and Valeria Gallo, Technology Policy Adviser, discuss some of the techniques organisations can use to comply with data minimisation requirements when

Read More

DSGVO und Blockchain: Ist das neue EU-Datenschutzgesetz eine Bedrohung oder ein Anreiz? 0

Die Datenschutz-Grundverordnung (DSGVO), ein umfassender und strenger EU-weiter Rechtsrahmen für den Schutz personenbezogener Daten, trat am 25. Mai in Kraft.

Data Security and Privacy Lessons From Recent GDPR Fines 0

We’re more than a year into the General Data Protection Regulation (GDPR) era, and we now have a few enforcement

How do Delib’s products comply with the GDPR? 0

The European Union’s General Data Protection Regulation (GDPR) is a legal framework around data protection which comes into force on

Statement: Live facial recognition technology in King's Cross 0

Statement from Elizabeth Denham, Information Commissioner, on the use of live facial recognition technology in King’s Cross, London. Source: ico.org.uk

Der Mythos von der gesetzlich verlangten Schweizer Datenhaltung 0

“Unsere Kunden verlangen nach Schweizer Rechenzentren.” “Die Daten müssen in der Schweiz lagern.” Solche Aussagen höre ich immer wieder. Von

Blog: Three top issues for town and parish councils 0

The advent of the GDPR in May 2018 brought new data protection obligations for many organisations. Some of this presented

Four Key Elements For Baseline GDPR Compliance 0

Guide To Achieve  Baseline GDPR Compliance Its 2019 and if you are still struggling to meet  GDPR compliance and with

Myths on the extraterritorial scope of the GDPR 0

With the entry into effect on 25 May 2018 of the EU General Data Protection Regulation (GDPR) and its extraterritorial

Data Processing Agreement (DPA) 0

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may

show all beach prevention