Rejoice, lovely readers, for we have made it to the fourth and final week of our GDPR training. Just in case you’ve been cut off from society, the GDPR is the EU’s new rules for data protection and it is very important that all businesses comply. Even if/when Brexit happens, the UK still needs to be compliant with the GDPR if they have clients in EU member states. For more information on the regulations, please read Week 1, Week 2 and Week 3.
This week is all about the bodies that ensure compliance with the GDPR, and the penalties they can dish out if you don’t comply. First up, national supervisory authorities monitor data processing activities, refer non-compliance for judicial review, and allow data subjects a means of complaint.
The national supervisory authority can give an organisation certification to prove they are GDPR compliant. This certification lasts for three years.
A national supervisory authority can only monitor processing that takes place in its geographic territory, or that concerns subjects residing in its geographic territory. If a border dispute occurs, the case is referred to the lead supervisory authority or LSA.
National supervisory authorities can impose liabilities for non-compliance with GDPR. Subject entitled to compensation if a company has misused their data. Controllers are liable for all damages, while processors are only liable if they did not comply with their own obligation or if they acted against the controller’s instructions.
The European Data Protection Board (referred to as ‘The Board’) is made up of the head of each national supervisory authority, plus representatives from the European Data Protection Supervisor (EDPS). The EDPS has restricted voting rights, and a representative from the European Commission is allowed to attend meetings but cannot vote. The Board’s role is to ensure GDPR compliance, while also ensuring cooperation between national supervisory authorities and checking on international compliance. The Board can issue EU-wide directives on particular cases so to ensure consistency, the LSA also helps with this.
A code of conduct should be written and made available to all data subjects, detailing how your organisation will comply with the GDPR. You should include how data will be collected, how subject rights can be exercised, and how you will notify subjects and authorities of a data breach. Submit your code to the national supervisory authority for approval.
Finally, big companies will use Binding Corporate Rules (BCR), which are rules adopted by a group of multinational companies. They require approval of the national supervisory authority. They cover the transfer of data between companies in the group across geological boundaries. You do not need approval from the national supervisory authority to transfer data outside of the EU as long as it adheres to standard contractual data clauses. The country the data is being transferred to must have adequate data protection laws, unless the controller can provide the appropriate safeguards, such as BCRs or standard contractual clauses.
And that’s it. You now know everything I do about GDPR, how to implement it and how not to fall foul of its laws. All of my information comes from my studies on this free course, provided by the University of Groningen, which I would thoroughly recommend taking part in.