The European Union’s General Data Protection Regulation (GDPR) needs that the enterprises storing or processing personal information of any of its citizens adhere to the enforcement policies of strict rules and regulations as stipulated in the act and any non-compliance will result in hefty fines. Hence, the onus of data security lies both on the controllers as well as the processors.
Role of Controllers and Processors to Achieve GDPR Compliance
The controllers have to ensure that proper policies and procedures are in place, if enterprises have to be GDPR-compliant. They have to see to it that adequate contractual controls are in place between them and the processors. The cloud service providers or the data processors have equal responsibility and they will have to understand their client’s needs for being GDPR-compliant. They need to assess their information security standards and data protection impact with their own record keeping procedures. Thus, the GDPR may hold the processor equally responsible in case of a data breach, because as per the rules of the GDPR, any enterprise dealing with the personal data including that of its closed associates is also responsible to achieve compliance.
Lists where Enforcement Policies is Necessary
The controllers have to ensure that appropriate accountability policies are in place in the following lists:
- Social media
- Data breaches
- Incident response
- Email and internet
- Information security
- External facing website
- Data protection impact
- Monitoring in workplace
- International data transfers
- Record of processing activities
- Legitimate interests assessment
- Privacy by default or design
- Data retention and destruction
- Data Protection Officer (DPO) appointment
The list is growing day-by-day and this means that the controllers have to keep monitoring the above for Enforcement policies to be GDPR compliant.
Details to be Submitted by the Processors to the EU Citizens When Requested for It
It is required by the GDPR act that the controllers and the processors provide plain and intelligible transparent information notices to individuals when required. The details that are to be included in it are as follows:
- The processor or controller name and contact details
- The categories of personal data used in processing
- The categories of data subjects to be used for processing
- A report describing the reasons for processing activities of the personal information
- An explanation of the legitimate interests of processing when there is a lawful ground for it
- The name of the recipients including in third countries where the personal data will be shared or disclosed
- Particulars about the international transfers of personal data and the security measures that have been implemented
- A general narrative of the organizational security measures that have been deployed
Enforcement Policies for GDPR Compliance
When such information is to be shared with individuals, then care is to be taken regarding the display of it through devices or applications. It is required that enterprises keep the explanation simple so that all the essential information is given and the user can get more of key information statements rather than layered privacy notices or lengthy legalistic terms. If the description is to be submitted to children where parental consent is not explicitly required, then it is better if the information is provided in such a way that it can be easily understood. As per the GDPR rules, individuals have the right to object to certain processing; they can even demand the erasure of certain personal data. Hence, it is up to the controllers and processors to have technical and organizational ability in place to track down individuals with their exercising rights. The opt-ins and opt-outs have to be tracked effectively so that the enterprises know what to retain and what has to be erased as per the requests. It is the role of processors and controllers that they have their information notices updated and records are kept in place. Once the policies and procedures have been developed, then its Enforcement to achieve GDPR compliance is essential and that has to be done through the controllers in the enterprise. CASB solutions are another way possible to achieve GDPR compliance with ease by the enforcement policies of restriction and other security protocols.