The article is an overview of basic obligations under the General Data Protection Regulation (“the GDPR“) for data collectors.
Almost all of these obligations and areas of data protection has already been included in the current EU legislation. However, the GDPR specifies or significantly changes a majority of them.
Therefore, the first part of the article deals with the obligations with a higher degree of change. The second part deals with the rest of obligations.
The overview does NOT include an analysis of the obligations pursuant to a national legislation of your country. Moreover, it is NOT a legal advice. For a final list of obligations for you or your company, you need to consult a lawyer or a local data protection officer.
A. The most important change in the beginning!
The violation of these obligations might result in an administrative fine of 20 million EUR or 4 percent of the global turnover, whichever is higher. You may read more about specific obligations and respective fines here.
B. The obligations with a higher degree of change
- review and document all personal data you hold, what is the source and determine if you shared data with someone – conduct an information audit
- implement a comprehensive data protection management programme:
- implement technical and organisational measures and data protection policies to ensure the lawfulness of data processing
- review internal policies (HR, trainings, audits, reviews, awareness raising programs, etc.)
- implement measures to ensure a level of data security, such as: pseudonymisation and encryption, confidentiality, regular testing and evaluating, etc.
- implement privacy by design and by default in your company: minimize the use of personal data as much as possible
- in some cases, you need to maintain a record of processing activities under your responsibility
- in specific cases, designate a data protection officer
- ensure you follow all rules for processing of employee’s data specified in the GDPR and in your national legislation
- review or implement a system for handling personal data breaches. In case of the breach, you need to be able to implement appropriate measures, notify the public authority within 72 hours and in specific situations communicate to the data subjects
- modify your procedure for obtaining consent to implement new obligations (consent clear, distinguishable, etc.) and if you also collect personal data without person´s consent, review all grounds for such data collection
- prepare a system, which on request enables you to inform the subject about personal data processing, give an access or provide a copy of the personal data undergoing processing to the individual and/or enables you to export all personal data of a person in a structured and machine-readable format and give the export to the person or other company
- prepare a system that would enable you to erase personal data in specific situations or restrict their processing; prepare a process to communicate any erasure or restriction to everyone you shared personal data with
- prior to a processing that is likely to result in a high risk to the rights and freedoms of natural person, you will need to carry out a data protection impact assessment and in some cases consult the public authority
C. The obligations with a lower degree of change
- make all your policies and information notices concise, transparent and easily accessible
- review and update your supplier arrangements and contracts
- implement a system to handle the objections of people to their personal data processing and be able to stop processing in specific situations, especially in case of direct marketing; in case of online services, the system must be automatic
- make sure you give all necessary information to the person at the time of personal data collection or if you obtain data not from the person, at the latest within one month after
- if you use automated individual decision-making, including profiling, review that either person´s consent or another reason you used for a data collection, are lawful
- if you use sensitive data, review all legal grounds for their collection (consent, other reasons)
The overview of 15 GDPR compliance obligations for a data collector, with higher and lower degree of change Click To Tweet
D. Further obligations in specific cases
If you use the services of another person, public authority or other body to process personal data on your behalf, GDPR introduces several new obligations for you.
If you want to transfer personal data to the country outside of the EEA, you need to use one of the approved mechanisms under GDPR.
If you process the personal data of children, there are specific rules you need to follow.
If you are an organisation not established within the European union, you might still be obliged to satisfy these obligations.
If you you carry out cross-border processing of personal data, make sure you know who is your lead public authority.
E. Final list of obligations for you or your company
To determine the specific list of obligations for your company, you have to consult a data protection consultant or run a data protection audit.
In case of further questions, do not hesitate to contact us at: