→
Obligations of the data controller
The controller decides why and how personal data is processed and is responsible for compliance. GDPR has applied since 25 May 2018 and is built on seven core principles.
→
The 7 data protection principles
| Principle | Meaning |
|---|---|
| Transparency & lawfulness | Processing must be lawful, fair and transparent to the data subject. |
| Purpose limitation | Collect for specified, explicit, legitimate purposes only. |
| Data minimisation | Collect only what is adequate, relevant and necessary. |
| Accuracy | Keep data correct and up to date; erase or rectify errors. |
| Storage limitation | Keep data no longer than necessary for the purpose. |
| Confidentiality & integrity | Protect against unauthorised access, loss or damage (security). |
| Accountability | Be able to demonstrate compliance with all of the above. |
→
Data subject rights
- Duty to provide information & right of access.
- Right to rectification and the right to be forgotten (erasure).
- Right to restrict processing and data portability.
- Right to object; protection against solely automated decisions and profiling.
→
Data breach through GDPR's eyes
A breach involving personal data must be handled under GDPR. Map your data (data mapping) so you know what you hold and where, and align handling with ISO 27701 (the privacy extension to ISO 27001).
On personal-data loss, involve the DPO and keep contact with the supervisory authority — in Denmark, Datatilsynet — within the notification deadline.