Chapter 4 – Controller and Processor
Alrighty, by a weird coincidence I’m flying over India on my way back to Britain. In contrast we have a chapter on the roles of the Controller and Processor. Seems relatively apt. Articles 24 through 43 this is one of the largest chapters in the document. I’ll do my best to sign post and make a whistle stop tour though the articles.
Section 1 – General Obligations
Article 24 – Responsibility of the Controller
3 paragraphs. It is on his head who is the data controller to be able to demonstrate compliance. How is less than well defined.
Article 25 – Data Protection by Design and by Default
3 paragraphs. In a nutshell data controllers will by default work to protect privacy using the utmost in technology to do so. They call out pseudonymisation by name.
Articles 26 – Joint Controllers
3 paragraphs. Essentially that there can be two controllers of data and when that happens they should define their individual roles to maintain everything mentioned that a data controllers needs to comply with and stick to it. There is also a mention of the phrase “vis-à-vis” I suspect that this was France’s contribution to the writing up of this regulation.
Article 27 – Representatives of Controllers or Processors not Established in the Union
5 paragraphs. This is more definition around the need for anyone who is processing data from outside the EU to have a designated point of contact within the EU with the exception if the processing is occasional or the processor is a public authority. Is this the Five Eyes Exclusion?
Article 28 – Processor
10 paragraphs. This is a bit juicier. Processors now have a significant burden to bare. Key points are that a contract must be drawn up to delineate the relationship between the controller and the processor. And also that if a processor breaks the contract then they in turn take on the burden of that mistake taking over the role of the controller for the data involved in that breech and carrying the weight of the punishment. Good for controllers, a point to be watched vigorously by processors.
Article 29 – Processing under the Authority of the Controller or Processor
1 paragraph. No one can process data unless under the direction of the controller.
Article 30 – Records of Processing Activities
5 paragraphs. Very simple a list of basic details that will be kept in writing (electronically written seems cool).
Article 31 – Cooperation with the Supervisory Authority
1 paragraph. You shall play nice with the supervisory authority, here in Britain I believe this will be the Information Commissioner’s Office.
Section 2 – Security of Personal Data
Article 32 – Security of Processing
4 paragraphs. You will use protection. They roll out the reference to pseudonymisation again. They are particularly fond of obscuring names and the like. In general Gandalf was right, “Keep it secret, keep it safe!”
Article 33 – Notification of a Personal Data Breach to the Supervisory Authority
5 paragraphs. Data breaches will be relayed to the supervisory authority (the ICO for Brits) within 72 hours from becoming aware. I’m assuming the directive towards security and all of these requirements mean you can’t just put your fingers in your ears, you have to be actively involved and make the report as soon as possible. I have a feeling deep down in my gut that a fair few of us (read everyone dealing in data) will go through this process at one time or another in the next decade.
Article 34 – Communication of a Personal Data Breach to the Data Subject
4 paragraphs. If the data breach is bad (meaning everyone whose data was breached are now going to receive invitations to purchase penis enlargement pills through their email regardless of them actually having a penis, then the controller needs to inform the individual data subjects.
Section 3 – Data Protection Impact Assessment and Prior Consultation
Article 35 – Data Protection Impact Assessment
11 paragraphs. A data protection impact assessment shall be carried out. Essentially you should know exactly what you are doing and what risks are involved before you start.
Article 36 – Prior Consultation
5 paragraphs. Super risky data processing indicated in the data protection impact assessment can be referred to the supervisory authority (ICO) for help clarifying if its kosher.
Section 4 – Data Protection Officer
Article 37 – Designation of the Data Protection Officer
7 paragraphs. You have to have one. Sounds like this regulation was written by data protection officers who were feeling like there weren’t enough good jobs out there. There’s a few stipulations, but yep, you need to have one for most every processing.
Article 38 – Position of the Data Protection Officer
6 paragraphs. With the title I was hoping to hear that all data protection officers needed window seats. But it’s really just a reference to the fact that they need to actually be involved, and can’t be dictated to. Much like a Health and Safety Officer, they need to be in charge of data protection.
Article 39 – Tasks of the Data Protection Officer
2 paragraphs. They in charge when it comes to data protection. Umm kay.
Section 5 – Codes of Conduct and Certification
Article 40 – Codes of Conduct
11 paragraphs. Individual member states and their supervisory authorities really need to dig in and write up a code of conduct. It’s a good thing that the ICO are on the ball and there is nothing that we could want for in relation to codes and example contracts etc…oh wait.
Article 41 – Monitoring of Approved Codes of Conduct
6 paragraphs. Perhaps I’m a bit foggy, but it appears that this describes the process where a supervisory authority can deputise organisations to enforce codes of conduct.
Article 42 – Certification
8 paragraphs. Straight forward. A certification can be set up and organisations can seek it out. However, the supervisory authority doesn’t have to and nobody needs to pursue it. My money on this will happen and will involve a charge. Another revenue stream for the ICO.
Article 43 – Certification Bodies
9 paragraphs. Deputisation again, but this time with the ability to make and enforce certificates. So spreading around the ability to generate revenue.
And that is everything in a nut shell. That’s not so bad. Be safe, be in control, make sure it’s in writing and don’t take your eye off the ball. It’s a brave new world.