Accountability at the times of GDPR
On May 25, 2018 the General Data Protection Regulation (GDPR) entered into force and many updated privacy statements started filling our email inboxes. Many have wondered if the Regulation would be applicable to Swiss entities and, even if the answer seems to generally be positive, we always recommend a case by case analysis.
But let’s go further. What happens after having solved such doubt? What does it mean to comply with GDPR?
Companies and public administration globally began their race for compliance to GDPR long ago, implementing concepts such as the designation of a Data Protection Officer, the right to be forgotten and the obligation to notify of any violation within 72 hours.
However, one of the major changes introduced by the GDPR is the consecration of the principle of accountability (see Article 5 § 2 of the GDPR) for which the Data Controller is actively responsible for the processing of personal data. The Data Controller not only is responsible for compliance with the Regulation but it must also be able to prove such compliance, reverting the burden of proof on organizations.
The principle of accountability goes hand in hand with the Regulation’s risk-based approach, according to which the Data Controller must assess in an objective manner the likelihood and severity of the risks to which rights of data subjects are exposed to during the treatment. The Controller will therefore have to put in place control systems to ensure that the treatment remains compliant throughout its duration and to preserve the proof of it. To do so, the Controller should keep an electronic record of the processing activities carried out under its responsibility. Moreover, whereas the Swiss Data Controller has a representative entity in the EU (see Article 27 of the GDPR), this data treatment register must, upon request, be made available to the data protection authorities of the country in which the representative entity is located.
While, the GDPR seems to leave more discretion to the Data Controller in deciding how to protect data, this greater freedom is accompanied by the burden to demonstrate the motivations that led to the adoption of a specific decision, as well as to document the choices made. Therefore, identifying privacy obligations seems to be fundamental for companies to avoid to incur in the heavy fines established by the Regulation.
Our team is at your disposal to assess your compliance needs, to implement an ad hoc privacy program and to compile a data treatment register for your organization. Take our online test to see where your organization’s privacy level stands and contact us for a tailor-made solution to ensure your compliance with GDPR.