Who’s Enforcing GDPR?

There’s no doubt that GDPR has brought its fair share of challenges into the world of data privacy. GDPR was specifically designed to impact businesses across the globe, not just European Union Member States. It’s ultimate goal, though, is to reduce regulatory differences in order to make data protection laws more consistent and make businesses more transparent.

Part of the innovativeness of GDPR is, in order to work as it’s intended to, the law needs a collaboration of all participants. This includes data subjects, controllers and processors, data protection officers, supervisory authorities, the European Data Protection Board, and the European Commission. With so many players in the game and such a broad territorial reach, how do you know how they function together and who’s enforcing GDPR? Let’s start at the top.

The European Commission

The European Commission proposes and implements laws that align with the objectives of EU treaties, meaning that it created the rules for the protection of personal data for the EU.

If you want to look at where GDPR began, you must go back to 1995, when the Directive 95/46/EC was given to regulate the processing of personal data in a fair and lawful manner; “fair” meaning you must tell data subjects what you’re doing with their personal data and “lawful” meaning you must comply with data subjects’ rights. But then technology and the way we share and collect data changed. The 1995 directive, like many other laws and regulations, needed updating. In 2012, the European Commission proposed data protection reform to replace Directive 95/46/EC and about three years later, in December of 2015, the European Commission agreed on a final draft of the GDPR, paving the way for adoption by the European Parliament. On May 25, 2018, GDPR officially took effect and became an enforceable law.

When the European Commission needs advice or has questions about the protection of personal data, it goes to the European Data Protection Board for answers and recommendations.

European Data Protection Board

When GDPR went into effect, a major regulatory development was the establishment of the European Data Protection Board (EDPB). The EDPB has replaced the Article 29 Working Party (WP29) as the regulatory body and legal personality of GDPR but has similar membership. In fact, the EDPB has adopted much guidance from the WP29, such as topics like data protection officers, transparency, consent, and portability.

Moving forward, the EDPB will now be the source for GDPR guidance. The EDPB will have a more comprehensive purpose than the WP29, and it will be more likely to obtain feedback from the public during the course of developing guidance.

Article 70 defines the tasks of the EDPB, which include issuing guidelines and recommendations, advising and communicating with the European Commission, and ensuring consistency of the application of GDPR.

EU Member States

It’s up to each of the EU Member States to develop their own guidance around GDPR and supervise the application of the law within their territory. Because the GDPR’s scope is spread between 28 EU Member States, it gives Member States some opportunity to make adjustments for how it applies in their country. For example, the UK’s Data Protection Act 2018 recently received the Royal Assent, which works with GDPR to form new data protection principles. This act modernizes data protection laws and the Information Commissioner’s Office recommends that the Data Protection Act 2018 and GDPR be read side-by-side.

As of May 25, 2018, each of the 28 EU Member State has designated a supervisory authority to be responsible for monitoring the application of GDPR within its territory.

Supervisory Authorities

Articles 51-59 require that each EU Member State designate an independent, public authority to be responsible for monitoring the application of GDPR and addressing non-compliance, known as a supervisory authority or data protection authority (DPA). Supervisory authorities’ main purpose is to protect personal data. Supervisory authorities, although there are 28 of them, play a central role in consistent application of GDPR.

As part of Article 31, controllers, processors, and their representatives must cooperate and support supervisory authorities in the performance of tasks. Supervisory authorities are generally tasked, within their territory, to do the following:

  • Monitor and enforce GDPR
  • Promote public awareness on data subjects’ rights and risks
  • Promote awareness to controllers and processors of their obligations
  • Handle and investigate complaints
  • Cooperate with other supervisory authorities
  • Document infringements and the corrective actions given
  • Investigate the application of GDPR in the form of data protection audits and reviews
  • Exercise corrective and advisory powers

In general, the main contact point for questions or topics on personal data protection is the supervisory authority in the EU Member State where the controller or processor is based. For example, a controller or processer based in France would report to the National Commission of Computing and Freedoms in France. However, if there is cross-border processing, the supervisory authority of the main establishment acts as a lead supervisory authority.

Because GDPR is a law and not an information security or privacy framework, we’ve heard the question of “who’s enforcing GDPR?” a lot. Data subjects, controllers and processors, supervisory authorities, the European Data Protection Board, and the European Commission must work together to implement and enforce GDPR, to make data protection law more consistent, and encourage businesses to be more transparent.

Do you know who the supervisory authority in your Member State is? Do you have a DPO? Have more questions about controllers and processors? Contact us today to find the answers you need.

More GDPR Resources

10 Key GDPR Terms You Need to Know

Are You Controller or Processor?

Whose Data is Covered by GDPR?

Which GDPR Requirements Do You Need to Meet?

Auditor Insights: Are you a Data Controller or a Data Processor?

The most frequently asked question I’ve received related to GDPR has to do with data processing roles: is my organization a data controller or data processor? Determining your organization’s data role can be challenging because of textual and practical ambiguity, but identifying your role is the starting point for determining which GDPR requirements your organization must follow. The responsibilities of data controllers are different than responsibilities of data processors. As a result, organizations cannot know their GDPR compliance obligations until they determine whether GDPR defines them as a controller or processor.

What the Law Says: Responsibilities of Data Controllers

What are the responsibilities of data controllers? The law defines a data controller as the natural or legal person that determines the purpose and means for processing personal data. How much authority and decision-making over personal data does your organization have? The greater the authority, the more likely it is that an organization takes on the responsibilities of a data controller.

So, a controller does at least two things: determines the purpose and means for processing. From my perspective, the ability to determine the purpose of data processing is both easier to identify and a more logical standard for identifying whether an organization is a data controller than whether an entity determines the means of processing.

The UK Supervisory Authority, the Information Commissioner’s Office (ICO), has published guidance related to determining purposes of processing personal data. If you are the decision-maker on any of the following items, then you are subject to the responsibilities of data controllers:

  • Who decides to collect the personal data in the first place and the legal basis for doing so?
  • Who decides which items of personal data to collect?
  • Who decides what methods to use to collect personal data?
  • Who decides the purpose(s) that the data are to be used for?
  • Who decides which individuals to collect data about?
  • Who decides whether to disclose the data, and if so, who to?
  • Who decides whether subject access and other individuals’ rights apply (i.e. the application of exemptions)?
  • Who decides how long to retain the data or whether to make non-routine amendments to the data?

According to the ICO guidance on principles regarding the means of processing personal data, data controllers may determine:

  • What IT systems or other methods to use to collect personal data
  • How to store personal data
  • The detail of security surrounding the personal data
  • The means used to transfer personal data from one organization to another
  • The means used to retrieve personal data about certain individuals
  • The method for ensuring a retention schedule is adhered to
  • The means used to delete or dispose of personal data

What the Law Says: Responsibilities of Data Processors

What are the responsibilities of data processors? The law defines a data processor as the natural or legal person that processes personal data on behalf of a data controller. Processing is essentially anything done to the data, including storing, archiving, or reviewing. Data processors cannot process data without the authority of the data controller. They must notify the data controller of any breaches or using/changing of sub-processors. Data processors must provide sufficient compliance guarantees to data controllers. It’s important to note that based on the ICO guidance, processors may have some authority to determine the “means of processing” without becoming a controller or joint controller.

What Else Should Organizations Consider?

When determining which GDPR data processing role an organization fills, organizations might think a few operational areas are key: organizational size and structure, processing activity, data source, legal/professional and contractual arrangements. In my experience, only three of these areas are fully relevant.

Organizational size and structure are irrelevant when determining your role. Only a small part of GDPR addresses organizations that are less than 250 employees, but that really does not impact whether an organization is a controller or a processor. Additionally, organizational structure (publicly or privately owned, single corporation, parent organization, affiliate, subsidiary, etc.) does not impact whether an organization is a controller or a processor.

Processing activity is only partially relevant in determining whether an organization is a controller or a processor because, ultimately, a controller can perform any activity that a processor performs. It should be noted that, based on practical experience and formal guidance, there are some processing activities that may be considered de facto controller activities. Specifically, payment processing and certain direct marketing activities may be considered activities that, by default, make an organization a controller.

Data source is an incredibly relevant factor in the controller/processor consideration. Where does your data come from? Is your data source the data subject? The more interaction your organization has with a data subject, the more likely that your organization is a data controller.

Specific legal and professional obligations may require organizations to operate as a controller.  For example, accounts and attorneys each have legal and professional obligations to make independent decisions and, occasionally, disclosures regarding personal data that may be outside of the client’s processing authority.

Finally, contractual arrangements are a completely relevant factor in determining whether an organization is a controller or processor. Contracts should explicitly outline the purpose and means for processing data.  The more authority a contract provides an entity with respect to either the purpose or the means of data processing, the more likely that entity is operating as a controller.

Once you determine whether your organization is a controller, processor, or both, your organization can then identify which GDPR requirements apply to you.

Other Roles under GDPR

Although GDPR establishes two primary data processing roles, there are several other data processing important roles that have additional compliance considerations, including:

  • Joint Controller: A joint controller exists when two or more controllers jointly have authority and determine the purposes and means for processing personal data. The requirement here is to clearly define the responsibilities among joint controllers. The organizations must share authority over the data, not just share a data pool. For example, if a few organizations make an agreement to collect, use, or combine personal data and have mutual authority over that data, you might have a joint controller relationship.
  • Controller-Processor: You can have situations where a person or organization is both a controller and a processor. A SaaS provider could serve as a data processor based on the data they receive from their clients, but they could also serve as a controller because they employ EU citizens. In this case, two sets of personal data exist, and the SaaS provider has different responsibilities towards the two sets.
  • Data Protection Officer: An individual that has expert knowledge of data protection law, is independent from an organizational reporting perspective, cannot be told how to do their job, and cannot be penalized for their job. This could be a person who’s also fulfilling other roles within an organization (without a conflict of interest), but it could also be an outside contractor.
  • Supervisory Authority: Independent, public authorities for each EU member state. Supervisory authorities are responsible for monitoring the application of GDPR and addressing non-compliance. These are the government organizations that you will be interacting with and they have the authority to create additional GDPR compliance.

Are you subject to the responsibilities of data controllers or the responsibilities of data processors? When determining whether you’re a data controller or a data process, I encourage you to be open-minded for whatever your organization’s processes lead you to. If you haven’t begun preparing for the May 25, 2018 deadline for GDPR enforcement, you should start now. For more information on GDPR readiness, contact us today.

About Mark Hinely

Mark Hinely of KirkpatrickPriceMark Hinely, Esq., is a Regulatory Compliance Specialist with KirkpatrickPrice and a member of the Florida Bar, with 10 years of experience in data privacy, regulatory affairs, and internal regulatory compliance. His specific experiences include performing mock regulatory audits, creating vendor compliance programs and providing compliance consulting. He is also SANS certified in the Law of Data Security and Investigations.

More GDPR Resources

GDPR Readiness: What, Why and Who

GDPR Readiness: Are You a Data Controller or Data Processor?

ICO’s Data controllers and data processors: what the difference is and what the governance implications are