GDPR Readiness: Conditional Requirements

by Sarah Harvey / October 4th, 2018

Because of the complexity and ambiguity of GDPR, it’s difficult for organizations to determine which requirements are absolute and which are conditional. These requirements can have a significant impact on budget, leadership, policies, and the project plan for compliance. In this webinar, KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, leads a discussion on mandatory versus conditional requirements, provides in-depth examples of conditional requirements, and explains the implications of treating conditional requirements as absolute.

What are GDPR’s Mandatory Requirements?

Under GDPR, there are requirements that organizations must comply with, regardless of size, the type of information they process, or where they are processing the data from. In other words, these requirements have no conditional clauses that would alter their applicability. Examples of GDPR’s absolute requirements include the following:

  • Legal basis for processing
  • Transparency
  • Security safeguards
  • Organizational and technical controls
  • Facilitating data subject rights
  • Controller-processor standards
  • International transfer mechanism

What are GDPR’s Conditional Requirements?

Contrary to GDPR’s mandatory requirements, there are conditional requirements whose applicability to organizations varies based on a number of factors. Examples of such conditional requirements include the following:

Records of processing: According to Article 30, processors and controllers must document specified content related to GDPR activities, unless:

  • An organization employs less than 250 people; and
  • Processing is occasional; or
  • Processing could not result in a risk to data subjects; or
  • Processing does not involve special categories of data or criminal convictions

Designated representative: According to Article 27, when organizations not established in the EU process personal data, those organizations must designate a representative in the EU, unless:

  • Processing is occasional;
  • Processing does not include large scale use of special categories/criminal convictions; and
  • Processing is unlikely to result in a risk to the rights and freedoms of data subjects

Data Protection Officer: According to Article 37, controllers and processors must designate a Data Protection Officer when:

  • Processing is carried out by a public authority or body;
  • The core activities require regular and systematic monitoring of data subjects on a large scale; or
  • The core activities consist of processing on a large scale

Data Protection Impact Assessment: According to Article 35(1) and 35(3), a controller must conduct a Data Protection Impact Assessment if they are:

  • Processing data that is likely to result in a high risk to the rights and freedoms of data subjects;
  • Systematically and extensively evaluating people, based on automated processing, including profiling, and it leads to decisions that have a legal or similar effect;
  • Processing special categories of data or criminal convictions on a large scale; or
  • Systematically monitoring of a publicly accessible area on a large scale

To learn more about each of these conditional requirements, download the full webinar now. For more information about how KirkpatrickPrice can assist you on your journey toward GDPR compliance, contact us today.