Elizabeth Denham, UK Information Commissioner at the ICO, stated that ‘arguably the biggest change [imposed by the GDPR] is around accountability.’
Data controllers and processors
Data controllers will have specific obligations to not only comply with the rules set out in the GDPR, but to actively demonstrate that compliance. As well as maintaining a paper trail evidencing steps taken to achieve the necessary security standards, data controllers will be required to implement processes to minimise risk.
A further duty to conduct ‘data protection impact assessments’ is imposed for any activity which is likely to result in a ‘high risk’ to the rights of data subjects. The incoming regime sets ‘privacy by design and default’ as a principle aim.
Data controllers will also find themselves under a positive obligation to notify their supervisory authority of any data breaches, unless that breach is ‘unlikely to result in a risk to the rights and freedoms of individuals’. Organisations should be cautious if they plan on using this caveat to avoid notifying the ICO.
Data processors will have a related obligation to notify the data controller where they are responsible for any breach.
After discovering a notifiable breach, an organisation has 72 hours to report it to the relevant supervisory authority.
Notifying data subjects of breaches
There is a duty to notify data subjects of any data breach concerning their personal data in scenarios where there is a ‘high risk’ of that breach impacting the rights and freedoms of those individuals. The threshold for notifying data subjects is therefore higher than that in respect of the relevant supervisory authority. Again, great caution should be shown and advice should always be taken from your Data Protection Officer and/or legal representatives. Notification of any breaches deemed to have crossed this higher threshold must be made without undue delay.